dcrat | 7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445

Analysis

max time kernel
116s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
Size

2.6MB
MD5

12dcc1cafbf752f84a12d3bed14cd6e2
SHA1

9ebf8e2fef206cefff0cb2474f284869827e6e45
SHA256

7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445
SHA512

e6d535bbf3a65d225f7a6b8fd500952774a8664daea4e091fa9dd4d0a6538a150089ff38271ff345c91a76518c2094dbb59a2ff92d7fc24cdf2d66d4fcdd1a27
SSDEEP

49152:EZjcfg3kx6GhHszTNMdkdOYY/Z5K0eR/SRXtbqayyLsPZqGXkcZAo:nY0UwmOTBU5R+dbqzTB

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat 39 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2616	schtasks.exe
		1828	schtasks.exe
		452	schtasks.exe
		3544	schtasks.exe
		4868	schtasks.exe
		4624	schtasks.exe
		2336	schtasks.exe
		3888	schtasks.exe
		3200	schtasks.exe
		2752	schtasks.exe
		1936	schtasks.exe
		2368	schtasks.exe
		1636	schtasks.exe
		4004	schtasks.exe
		60	schtasks.exe
		2100	schtasks.exe
		3148	schtasks.exe
		728	schtasks.exe
		3132	schtasks.exe
		3616	schtasks.exe
		3844	schtasks.exe
		3356	schtasks.exe
		2488	schtasks.exe
		3952	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
		1348	schtasks.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\6cb0b6c459d5d3		7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
		2496	schtasks.exe
		4352	schtasks.exe
		4620	schtasks.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\69ddcba757bf72		7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
		2724	schtasks.exe
		4520	schtasks.exe
		3732	schtasks.exe
		4220	schtasks.exe
		4356	schtasks.exe
		3464	schtasks.exe
		840	schtasks.exe
		2884	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	4432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	60	4432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	4432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	4432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	4432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	4432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	4432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4004	4432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	4432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3200	4432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	4432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3544	4432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	4432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	4432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3132	4432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	4432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	4432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3732	4432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	4432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	4432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3616	4432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	4432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3148	4432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4220	4432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	4432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4352	4432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3844	4432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3356	4432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	4432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	4432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	4432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	4432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	4432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	4432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	728	4432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3464	4432	schtasks.exe	86

UAC bypass 3 TTPs 9 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2312-1-0x0000000000400000-0x00000000006A8000-memory.dmp	dcrat
behavioral2/files/0x000b000000023b84-35.dat	dcrat
behavioral2/files/0x0003000000022dcd-54.dat	dcrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe

Executes dropped EXE 2 IoCs

pid	Process
2448	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
2772	sysmon.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\RCX98D8.tmp	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCX9AEC.tmp	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File created	C:\Program Files\Google\Chrome\dwm.exe	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File opened for modification	C:\Program Files\Google\Chrome\dwm.exe	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File created	C:\Program Files\Google\Chrome\6cb0b6c459d5d3	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\smss.exe	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\dwm.exe	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\6cb0b6c459d5d3	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\RCX98C7.tmp	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCX9AED.tmp	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\dwm.exe	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\smss.exe	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\69ddcba757bf72	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\appcompat\encapsulation\StartMenuExperienceHost.exe	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File created	C:\Windows\appcompat\encapsulation\55b276f4edf653	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File opened for modification	C:\Windows\appcompat\encapsulation\StartMenuExperienceHost.exe	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4220	schtasks.exe
3952	schtasks.exe
2368	schtasks.exe
1636	schtasks.exe
1936	schtasks.exe
3732	schtasks.exe
1828	schtasks.exe
3616	schtasks.exe
4004	schtasks.exe
1348	schtasks.exe
2336	schtasks.exe
728	schtasks.exe
60	schtasks.exe
3844	schtasks.exe
2724	schtasks.exe
840	schtasks.exe
3544	schtasks.exe
3132	schtasks.exe
4520	schtasks.exe
3148	schtasks.exe
3464	schtasks.exe
4620	schtasks.exe
2616	schtasks.exe
3356	schtasks.exe
452	schtasks.exe
2488	schtasks.exe
2496	schtasks.exe
2100	schtasks.exe
4356	schtasks.exe
2884	schtasks.exe
3888	schtasks.exe
4624	schtasks.exe
4868	schtasks.exe
3200	schtasks.exe
4352	schtasks.exe
2752	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2312	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
2312	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
2312	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
2312	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
2312	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
2448	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
2448	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
2448	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
2448	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
2448	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
2448	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
2448	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
2772	sysmon.exe
2772	sysmon.exe
2772	sysmon.exe
2772	sysmon.exe
2772	sysmon.exe
2772	sysmon.exe
2772	sysmon.exe
2772	sysmon.exe
2772	sysmon.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2772	sysmon.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2312	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
Token: SeDebugPrivilege	2448	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
Token: SeDebugPrivilege	2772	sysmon.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 2448	2312	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe	102
PID 2312 wrote to memory of 2448	2312	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe	102
PID 2448 wrote to memory of 2772	2448	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe	130
PID 2448 wrote to memory of 2772	2448	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe	130

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
"C:\Users\Admin\AppData\Local\Temp\7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe"
1⤵
- DcRat
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2312
- C:\Users\Admin\AppData\Local\Temp\7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
  "C:\Users\Admin\AppData\Local\Temp\7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2448
- - C:\Recovery\WindowsRE\sysmon.exe
    "C:\Recovery\WindowsRE\sysmon.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:60

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Links\TextInputHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Default\Links\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Links\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Windows\appcompat\encapsulation\StartMenuExperienceHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\appcompat\encapsulation\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Windows\appcompat\encapsulation\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\Default\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Default\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Windows\Temp\MsEdgeCrashpad\SppExtComObj.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\Temp\MsEdgeCrashpad\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Windows\Temp\MsEdgeCrashpad\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Multimedia Platform\RCX9AED.tmp

Filesize
2.6MB

MD5
02911d19174feb724cd47570d4188a58

SHA1
9b5a3e306b44cf73cb6b6f02b7355843029dcb8f

SHA256
dce2e3db78a32c0826767f5cb2c40f909b91d0db2209215939b5d6fbacc1df2e

SHA512
1de27f7ed6118691cfe59543a0f00c692d58ca46991ad7ecae936435cd79da97c4e56bee97bb8e14a9d9c171ef34789a812c47cc9b2991eb896be88f48c2c9b0

Download Submit
C:\Program Files (x86)\Windows NT\Accessories\en-US\smss.exe

Filesize
2.6MB

MD5
12dcc1cafbf752f84a12d3bed14cd6e2

SHA1
9ebf8e2fef206cefff0cb2474f284869827e6e45

SHA256
7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445

SHA512
e6d535bbf3a65d225f7a6b8fd500952774a8664daea4e091fa9dd4d0a6538a150089ff38271ff345c91a76518c2094dbb59a2ff92d7fc24cdf2d66d4fcdd1a27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
memory/2312-12-0x000000001B220000-0x000000001B228000-memory.dmp

Filesize
32KB

Download
memory/2312-14-0x000000001C2C0000-0x000000001C7E8000-memory.dmp

Filesize
5.2MB

Download
memory/2312-5-0x000000001B230000-0x000000001B280000-memory.dmp

Filesize
320KB

Download
memory/2312-7-0x000000001B1E0000-0x000000001B1F0000-memory.dmp

Filesize
64KB

Download
memory/2312-6-0x0000000002830000-0x0000000002838000-memory.dmp

Filesize
32KB

Download
memory/2312-9-0x000000001B210000-0x000000001B218000-memory.dmp

Filesize
32KB

Download
memory/2312-8-0x000000001B1F0000-0x000000001B206000-memory.dmp

Filesize
88KB

Download
memory/2312-10-0x000000001B9A0000-0x000000001B9AA000-memory.dmp

Filesize
40KB

Download
memory/2312-11-0x000000001B890000-0x000000001B8E6000-memory.dmp

Filesize
344KB

Download
memory/2312-0-0x00007FFD99B73000-0x00007FFD99B75000-memory.dmp

Filesize
8KB

Download
memory/2312-13-0x000000001B8E0000-0x000000001B8F2000-memory.dmp

Filesize
72KB

Download
memory/2312-4-0x000000001B170000-0x000000001B18C000-memory.dmp

Filesize
112KB

Download
memory/2312-19-0x000000001B950000-0x000000001B95C000-memory.dmp

Filesize
48KB

Download
memory/2312-20-0x000000001B960000-0x000000001B96A000-memory.dmp

Filesize
40KB

Download
memory/2312-18-0x000000001B940000-0x000000001B94E000-memory.dmp

Filesize
56KB

Download
memory/2312-17-0x000000001B930000-0x000000001B93C000-memory.dmp

Filesize
48KB

Download
memory/2312-16-0x000000001B920000-0x000000001B928000-memory.dmp

Filesize
32KB

Download
memory/2312-15-0x000000001B910000-0x000000001B918000-memory.dmp

Filesize
32KB

Download
memory/2312-3-0x0000000002820000-0x000000000282E000-memory.dmp

Filesize
56KB

Download
memory/2312-2-0x00007FFD99B70000-0x00007FFD9A631000-memory.dmp

Filesize
10.8MB

Download
memory/2312-1-0x0000000000400000-0x00000000006A8000-memory.dmp

Filesize
2.7MB

Download
memory/2312-85-0x00007FFD99B70000-0x00007FFD9A631000-memory.dmp

Filesize
10.8MB

Download
memory/2772-176-0x00000000031B0000-0x0000000003206000-memory.dmp

Filesize
344KB

Download