dcrat | 389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440

General

Target

389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
Size

2.6MB
MD5

9f9b0eb47733bd75a7364f8da3611b65
SHA1

5762050c31e81b2b4ae6e1f139455bf3893ec956
SHA256

389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440
SHA512

61767943b0eb46d39039458e67dde248a0756a7499d084720824253b0af1aed5209148e7ba7ee3056f9fc1549e2d04d595777f31917795d9e75d2d3d7419d10c
SSDEEP

49152:Z35SQwOGHHy3Gv6KelFCGDZPU542T5eYfn4jmnHwDKni5Js:ZpSQEHIKqFCGDZs54+5eYfnCMQ+i5J

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2404	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

winlogon.exe389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2336-1-0x0000000000D20000-0x0000000000FC8000-memory.dmp	dcrat
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsass.exe	dcrat
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe	dcrat
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsass.exe	dcrat
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\dllhost.exe	dcrat
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe	dcrat
behavioral1/memory/1276-136-0x0000000000BC0000-0x0000000000E68000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

winlogon.exe

pid process

1276 winlogon.exe

pid	process
1276	winlogon.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exewinlogon.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe

Drops file in Program Files directory 5 IoCs

Processes:

389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe

description	ioc	process
File created	C:\Program Files\Windows Mail\ja-JP\winlogon.exe	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
File opened for modification	C:\Program Files\Windows Mail\ja-JP\winlogon.exe	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
File created	C:\Program Files\Windows Mail\ja-JP\cc11b995f2a76d	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
File opened for modification	C:\Program Files\Windows Mail\ja-JP\RCXB9A1.tmp	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
File opened for modification	C:\Program Files\Windows Mail\ja-JP\RCXB9A2.tmp	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe

Drops file in Windows directory 5 IoCs

Processes:

389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe

description	ioc	process
File created	C:\Windows\Help\mui\0410\csrss.exe	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
File created	C:\Windows\Help\mui\0410\886983d96e3d3e	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
File opened for modification	C:\Windows\Help\mui\0410\RCXBC13.tmp	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
File opened for modification	C:\Windows\Help\mui\0410\RCXBC14.tmp	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
File opened for modification	C:\Windows\Help\mui\0410\csrss.exe	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2744	schtasks.exe
2636	schtasks.exe
2656	schtasks.exe
2760	schtasks.exe
1152	schtasks.exe
2812	schtasks.exe
2828	schtasks.exe
2568	schtasks.exe
2804	schtasks.exe
2536	schtasks.exe
2196	schtasks.exe
688	schtasks.exe
1252	schtasks.exe
2780	schtasks.exe
2800	schtasks.exe
1748	schtasks.exe
2564	schtasks.exe
848	schtasks.exe
2696	schtasks.exe
2144	schtasks.exe
2888	schtasks.exe
1948	schtasks.exe
2764	schtasks.exe
2896	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exewinlogon.exe

pid	process
2336	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
1276	winlogon.exe
1276	winlogon.exe
1276	winlogon.exe
1276	winlogon.exe
1276	winlogon.exe
1276	winlogon.exe
1276	winlogon.exe
1276	winlogon.exe
1276	winlogon.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

winlogon.exe

pid process

1276 winlogon.exe

pid	process
1276	winlogon.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exewinlogon.exe

description	pid	process
Token: SeDebugPrivilege	2336	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
Token: SeDebugPrivilege	1276	winlogon.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe

description	pid	process	target process
PID 2336 wrote to memory of 1276	2336	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe	winlogon.exe
PID 2336 wrote to memory of 1276	2336	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe	winlogon.exe
PID 2336 wrote to memory of 1276	2336	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe	winlogon.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exewinlogon.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
"C:\Users\Admin\AppData\Local\Temp\389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2336
- C:\Program Files\Windows Mail\ja-JP\winlogon.exe
  "C:\Program Files\Windows Mail\ja-JP\winlogon.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\ja-JP\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Help\mui\0410\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Help\mui\0410\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Help\mui\0410\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Cookies\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Cookies\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Cookies\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df6144403" /sc MINUTE /mo 7 /tr "'C:\Users\Default\NetHood\389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440" /sc ONLOGON /tr "'C:\Users\Default\NetHood\389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df6144403" /sc MINUTE /mo 9 /tr "'C:\Users\Default\NetHood\389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe

Filesize
2.6MB

MD5
a5fe1322b0f554dbe73968d198eab953

SHA1
1685812744f6f1722dabb08065e8ee249211d3ec

SHA256
aa62fba0659d4da7c938cb30bb8b53d1cbc55427e304ac0956a45bd9c9b653e7

SHA512
98d7819beb1fb0528a429768cd9bc6a2cee3873285945b6107a58d4859cd2fa1e9a31ac43785afdaee7bd1d275ab50ae80f441b850ca1375d383763d0aa11609

Download Submit
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsass.exe

Filesize
2.6MB

MD5
9f9b0eb47733bd75a7364f8da3611b65

SHA1
5762050c31e81b2b4ae6e1f139455bf3893ec956

SHA256
389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440

SHA512
61767943b0eb46d39039458e67dde248a0756a7499d084720824253b0af1aed5209148e7ba7ee3056f9fc1549e2d04d595777f31917795d9e75d2d3d7419d10c

Download Submit
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsass.exe

Filesize
2.6MB

MD5
0e5ce8f13a1cface8af8dec9d6a68cc1

SHA1
13a0f8b60b119f66e48bdb58ca1032e727cec7da

SHA256
cd73c758d7302a7107f1a85a4232dde57f985f1cc02f3e0302c64817e9bee952

SHA512
58a272aeaf79685d042790d688c84fb209f64d435637c60501d34fbf69e428062316b8468033051165730ce5bec51e78b60faf110cfd487303a39e5b4cd32887

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\dllhost.exe

Filesize
2.6MB

MD5
67af7860cd5d74badca2064703c872b6

SHA1
5c45a8717b7a106f68f4d952974a1fe40da7e89d

SHA256
f9a3fd0c2a3a1cf731583d1373007611cd2a16aea550d95c21818190fce954b1

SHA512
ed06ae9e51d1b02cd04703e65ed2a706ca391d07c41eb38fcabf47e631e54683286313cee97fa9890afcccf8f150fc95f8b95a0214826c6a4e29724ba5f9e796

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe

Filesize
2.6MB

MD5
8f9c9f03a1ef26960a30c5ec8306c76e

SHA1
b1f63aea083a9a1d96d9d4f7811f1ef1e4a925e2

SHA256
ee3ec290e0971d38971e05ea6f2c764e74f435bce8415c9c4f1dac53990e1d7c

SHA512
97ff636ea27f540fe8ff3c06b94cf9f1bc411dae76b6fdb3bceb934f74baa4a8afcd5d2efcc3de18017d00fea513ef68d65619b7ad54282c67e1fcd2fff28ab0

Download Submit
memory/1276-138-0x0000000000BB0000-0x0000000000BC2000-memory.dmp

Filesize
72KB

Download
memory/1276-136-0x0000000000BC0000-0x0000000000E68000-memory.dmp

Filesize
2.7MB

Download
memory/2336-12-0x0000000000D00000-0x0000000000D12000-memory.dmp

Filesize
72KB

Download
memory/2336-16-0x00000000024A0000-0x00000000024AE000-memory.dmp

Filesize
56KB

Download
memory/2336-9-0x0000000000CF0000-0x0000000000CFA000-memory.dmp

Filesize
40KB

Download
memory/2336-10-0x0000000002440000-0x0000000002496000-memory.dmp

Filesize
344KB

Download
memory/2336-11-0x0000000000CE0000-0x0000000000CE8000-memory.dmp

Filesize
32KB

Download
memory/2336-0-0x000007FEF6083000-0x000007FEF6084000-memory.dmp

Filesize
4KB

Download
memory/2336-13-0x0000000000D10000-0x0000000000D18000-memory.dmp

Filesize
32KB

Download
memory/2336-14-0x00000000023F0000-0x00000000023F8000-memory.dmp

Filesize
32KB

Download
memory/2336-15-0x0000000002490000-0x000000000249C000-memory.dmp

Filesize
48KB

Download
memory/2336-8-0x0000000000CD0000-0x0000000000CD8000-memory.dmp

Filesize
32KB

Download
memory/2336-17-0x00000000024B0000-0x00000000024BC000-memory.dmp

Filesize
48KB

Download
memory/2336-18-0x00000000024C0000-0x00000000024CA000-memory.dmp

Filesize
40KB

Download
memory/2336-7-0x0000000000CB0000-0x0000000000CC6000-memory.dmp

Filesize
88KB

Download
memory/2336-6-0x0000000000BB0000-0x0000000000BC0000-memory.dmp

Filesize
64KB

Download
memory/2336-5-0x0000000000BA0000-0x0000000000BA8000-memory.dmp

Filesize
32KB

Download
memory/2336-4-0x0000000000B80000-0x0000000000B9C000-memory.dmp

Filesize
112KB

Download
memory/2336-3-0x0000000000B70000-0x0000000000B7E000-memory.dmp

Filesize
56KB

Download
memory/2336-2-0x000007FEF6080000-0x000007FEF6A6C000-memory.dmp

Filesize
9.9MB

Download
memory/2336-137-0x000007FEF6080000-0x000007FEF6A6C000-memory.dmp

Filesize
9.9MB

Download
memory/2336-1-0x0000000000D20000-0x0000000000FC8000-memory.dmp

Filesize
2.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads