dcrat | 389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440

General

Target

389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
Size

2.6MB
MD5

9f9b0eb47733bd75a7364f8da3611b65
SHA1

5762050c31e81b2b4ae6e1f139455bf3893ec956
SHA256

389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440
SHA512

61767943b0eb46d39039458e67dde248a0756a7499d084720824253b0af1aed5209148e7ba7ee3056f9fc1549e2d04d595777f31917795d9e75d2d3d7419d10c
SSDEEP

49152:Z35SQwOGHHy3Gv6KelFCGDZPU542T5eYfn4jmnHwDKni5Js:ZpSQEHIKqFCGDZs54+5eYfnCMQ+i5J

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2420	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	2420	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3288	2420	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2420	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2420	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3436	2420	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2420	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3336	2420	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2420	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2420	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	2420	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	2420	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2420	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2420	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3344	2420	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4076	2420	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2420	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4316	2420	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	2420	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2420	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2420	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3924	2420	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	2420	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2420	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3148	2420	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	2420	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3080	2420	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.execsrss.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/1216-1-0x0000000000500000-0x00000000007A8000-memory.dmp	dcrat
C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\wininit.exe	dcrat
C:\Recovery\WindowsRE\OfficeClickToRun.exe	dcrat
C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\wininit.exe	dcrat
C:\Program Files\Microsoft Office\System.exe	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe

Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

400 csrss.exe

pid	process
400	csrss.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.execsrss.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Drops file in Program Files directory 30 IoCs

Processes:

389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\RCX73F3.tmp	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
File opened for modification	C:\Program Files\Microsoft Office\RCX7ABE.tmp	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
File created	C:\Program Files\Windows Media Player\5b884080fd4f94	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\RCX7365.tmp	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
File opened for modification	C:\Program Files (x86)\Adobe\StartMenuExperienceHost.exe	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
File opened for modification	C:\Program Files (x86)\Adobe\RCX6EBF.tmp	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
File created	C:\Program Files\Windows Media Player\fontdrvhost.exe	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
File created	C:\Program Files\Microsoft Office\System.exe	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
File opened for modification	C:\Program Files\Windows Media Player\fontdrvhost.exe	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\RCX78B9.tmp	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\wininit.exe	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\wininit.exe	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\886983d96e3d3e	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\wininit.exe	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
File opened for modification	C:\Program Files\Windows Media Player\RCX7627.tmp	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
File created	C:\Program Files (x86)\Adobe\StartMenuExperienceHost.exe	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\wininit.exe	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
File opened for modification	C:\Program Files\Microsoft Office\RCX7B3C.tmp	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
File opened for modification	C:\Program Files\Microsoft Office\System.exe	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\56085415360792	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\RCX78A9.tmp	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
File opened for modification	C:\Program Files\Windows Media Player\RCX7617.tmp	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
File created	C:\Program Files\Microsoft Office\27d1bcfc3c54e0	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\RCX6CA9.tmp	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\RCX6C99.tmp	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
File opened for modification	C:\Program Files (x86)\Adobe\RCX6EAE.tmp	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
File created	C:\Program Files (x86)\Adobe\55b276f4edf653	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\56085415360792	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe

Drops file in Windows directory 6 IoCs

Processes:

389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe

description	ioc	process
File opened for modification	C:\Windows\Sun\Java\Deployment\SearchApp.exe	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
File created	C:\Windows\WaaS\tasks\RuntimeBroker.exe	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
File created	C:\Windows\Sun\Java\Deployment\SearchApp.exe	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
File created	C:\Windows\Sun\Java\Deployment\38384e6a620884	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
File opened for modification	C:\Windows\Sun\Java\Deployment\RCX7D50.tmp	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
File opened for modification	C:\Windows\Sun\Java\Deployment\RCX7D51.tmp	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
228	schtasks.exe
4812	schtasks.exe
2324	schtasks.exe
3004	schtasks.exe
772	schtasks.exe
3336	schtasks.exe
4076	schtasks.exe
4316	schtasks.exe
4488	schtasks.exe
4476	schtasks.exe
224	schtasks.exe
1284	schtasks.exe
3344	schtasks.exe
692	schtasks.exe
1400	schtasks.exe
3148	schtasks.exe
3080	schtasks.exe
2616	schtasks.exe
3288	schtasks.exe
3436	schtasks.exe
2636	schtasks.exe
2440	schtasks.exe
1828	schtasks.exe
2220	schtasks.exe
1700	schtasks.exe
1424	schtasks.exe
3924	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.execsrss.exe

pid	process
1216	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
1216	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
1216	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
1216	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
1216	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
400	csrss.exe
400	csrss.exe
400	csrss.exe
400	csrss.exe
400	csrss.exe
400	csrss.exe
400	csrss.exe
400	csrss.exe
400	csrss.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

csrss.exe

pid process

400 csrss.exe

pid	process
400	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.execsrss.exe

description	pid	process
Token: SeDebugPrivilege	1216	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
Token: SeDebugPrivilege	400	csrss.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe

description	pid	process	target process
PID 1216 wrote to memory of 400	1216	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe	csrss.exe
PID 1216 wrote to memory of 400	1216	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe	csrss.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

csrss.exe389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe
"C:\Users\Admin\AppData\Local\Temp\389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1216
- C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe
  "C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Windows\Sun\Java\Deployment\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Sun\Java\Deployment\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Windows\Sun\Java\Deployment\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\wininit.exe

Filesize
2.6MB

MD5
9f9b0eb47733bd75a7364f8da3611b65

SHA1
5762050c31e81b2b4ae6e1f139455bf3893ec956

SHA256
389b5bcd7710bf7a82c4d318aae6b687f7d816590ab0d404d80fd798df614440

SHA512
61767943b0eb46d39039458e67dde248a0756a7499d084720824253b0af1aed5209148e7ba7ee3056f9fc1549e2d04d595777f31917795d9e75d2d3d7419d10c

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\wininit.exe

Filesize
2.6MB

MD5
b639435b22c3d46942bde62963ac2816

SHA1
96a71e162e2b3a536fed88e4a542a3052a11ec05

SHA256
6fea522baf7efa24dd02ee1a1c4955db472d1a2b9229732559e30efb718cff5f

SHA512
d8acdf397b94db30f9e7d7cdf49be52b80b25651689cf86ca79099817910c8b36a434565365f3cccd796b06f25d9539cf8ec7abcbbf438d369c5ee5a13fa3c94

Download Submit
C:\Program Files\Microsoft Office\System.exe

Filesize
2.6MB

MD5
30aa7be47d83aa5f992518d25e57cf76

SHA1
9dd9779fdaeac1680e5ac36a09ccfdfb7a7277a7

SHA256
b2f8676c088d4271d5f24bfbd6648696dd7f0b31df6854471b7a205f039e821d

SHA512
6005940a692da13257ad58bcd3d44667877d9c712e917e87c2724655afda849ca2b774188272033a5b3122bf77072c204833632df69de0bb7ccbca0377772872

Download Submit
C:\Recovery\WindowsRE\OfficeClickToRun.exe

Filesize
2.6MB

MD5
ef4ba8f97cebc4abd3e4667787d09629

SHA1
6f82b91877c5bee4133335a6c6e758a733e04023

SHA256
4c6985914ee9142c8edbefe801b897616b352263e3e4a65cfc7de969db0ea7ff

SHA512
966b680161badebb0add3e03613cbeda9c6a61cfc4faf6462a63d2ca323984a2b5814ecec5bd858e9c85267219b00105ea43593edd7cdfc215f88ea627808a18

Download Submit
memory/400-209-0x000000001C9E0000-0x000000001C9F2000-memory.dmp

Filesize
72KB

Download
memory/1216-12-0x0000000002940000-0x0000000002948000-memory.dmp

Filesize
32KB

Download
memory/1216-19-0x000000001BA70000-0x000000001BA7C000-memory.dmp

Filesize
48KB

Download
memory/1216-10-0x000000001B450000-0x000000001B45A000-memory.dmp

Filesize
40KB

Download
memory/1216-8-0x0000000002910000-0x0000000002926000-memory.dmp

Filesize
88KB

Download
memory/1216-7-0x0000000002900000-0x0000000002910000-memory.dmp

Filesize
64KB

Download
memory/1216-6-0x00000000028F0000-0x00000000028F8000-memory.dmp

Filesize
32KB

Download
memory/1216-11-0x000000001B9D0000-0x000000001BA26000-memory.dmp

Filesize
344KB

Download
memory/1216-0-0x00007FFB67ED3000-0x00007FFB67ED5000-memory.dmp

Filesize
8KB

Download
memory/1216-13-0x0000000002950000-0x0000000002962000-memory.dmp

Filesize
72KB

Download
memory/1216-14-0x000000001C3B0000-0x000000001C8D8000-memory.dmp

Filesize
5.2MB

Download
memory/1216-16-0x000000001BA40000-0x000000001BA48000-memory.dmp

Filesize
32KB

Download
memory/1216-9-0x0000000002930000-0x0000000002938000-memory.dmp

Filesize
32KB

Download
memory/1216-20-0x000000001BA80000-0x000000001BA8A000-memory.dmp

Filesize
40KB

Download
memory/1216-18-0x000000001BA60000-0x000000001BA6E000-memory.dmp

Filesize
56KB

Download
memory/1216-17-0x000000001BA50000-0x000000001BA5C000-memory.dmp

Filesize
48KB

Download
memory/1216-15-0x000000001B460000-0x000000001B468000-memory.dmp

Filesize
32KB

Download
memory/1216-5-0x000000001B980000-0x000000001B9D0000-memory.dmp

Filesize
320KB

Download
memory/1216-4-0x00000000028D0000-0x00000000028EC000-memory.dmp

Filesize
112KB

Download
memory/1216-3-0x00000000028C0000-0x00000000028CE000-memory.dmp

Filesize
56KB

Download
memory/1216-2-0x00007FFB67ED0000-0x00007FFB68991000-memory.dmp

Filesize
10.8MB

Download
memory/1216-208-0x00007FFB67ED0000-0x00007FFB68991000-memory.dmp

Filesize
10.8MB

Download
memory/1216-1-0x0000000000500000-0x00000000007A8000-memory.dmp

Filesize
2.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads