dcrat | 820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818

Analysis

max time kernel
95s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
Size

2.6MB
MD5

70cc71e35134d51fc8146e37c5057870
SHA1

7711b99c61a69c022aeb74bca4e8f6514bd60318
SHA256

820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818
SHA512

030064056bf5d8e54024c8ea0471e70719294b4fe71165bdf811789a2419b9bf3f087d2e680db96cd0874a4e2859b7676a13d6c2bb41b0e89aaebc222dde8ea5
SSDEEP

49152:EZjcfg3kx6GhHszTNMdkdOYY/Z5K0eR/SRXtbqayyLsPZqGXkcZAo:nY0UwmOTBU5R+dbqzTB

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat 58 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
File created	C:\Windows\AppReadiness\7a0fd90576e088		820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
		5000	schtasks.exe
		4844	schtasks.exe
		2112	schtasks.exe
		2928	schtasks.exe
		1324	schtasks.exe
		3152	schtasks.exe
		5040	schtasks.exe
		1972	schtasks.exe
		1936	schtasks.exe
		428	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
		4548	schtasks.exe
		3128	schtasks.exe
		428	schtasks.exe
File created	C:\Program Files (x86)\MSBuild\55b276f4edf653		820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
		2976	schtasks.exe
		5100	schtasks.exe
		2604	schtasks.exe
		2056	schtasks.exe
		3392	schtasks.exe
		3156	schtasks.exe
		2036	schtasks.exe
		1864	schtasks.exe
		4716	schtasks.exe
File created	C:\Windows\uk-UA\886983d96e3d3e		820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
		3492	schtasks.exe
		2552	schtasks.exe
		2572	schtasks.exe
		3432	schtasks.exe
		4372	schtasks.exe
		3732	schtasks.exe
		5052	schtasks.exe
		2284	schtasks.exe
		2684	schtasks.exe
		1168	schtasks.exe
		4084	schtasks.exe
		4876	schtasks.exe
		3024	schtasks.exe
		2896	schtasks.exe
		5108	schtasks.exe
		2452	schtasks.exe
		3644	schtasks.exe
		3564	schtasks.exe
		2776	schtasks.exe
		2980	schtasks.exe
		4736	schtasks.exe
		2588	schtasks.exe
		2044	schtasks.exe
		3372	schtasks.exe
		2600	schtasks.exe
		1376	schtasks.exe
		2892	schtasks.exe
		2440	schtasks.exe
		4068	schtasks.exe
		1412	schtasks.exe
		2084	schtasks.exe
		432	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4068	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	428	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3156	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3492	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3152	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4372	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3392	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4084	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3644	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3732	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5040	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3432	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	428	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3372	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3564	2068	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2068	schtasks.exe	85

UAC bypass 3 TTPs 9 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/736-1-0x0000000000BC0000-0x0000000000E68000-memory.dmp	dcrat
behavioral2/files/0x0008000000023c94-32.dat	dcrat
behavioral2/files/0x000a000000023c94-54.dat	dcrat
behavioral2/files/0x0009000000023c88-65.dat	dcrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe

Executes dropped EXE 2 IoCs

pid	Process
3396	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
840	unsecapp.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File created	C:\Program Files\Google\OfficeClickToRun.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\9e8d7a4ca61bd9	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Program Files\Java\jre-1.8\7a0fd90576e088	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Program Files (x86)\MSBuild\StartMenuExperienceHost.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Program Files (x86)\MSBuild\55b276f4edf653	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCXA55F.tmp	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\StartMenuExperienceHost.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Program Files\Windows Mail\dllhost.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\e6c9b481da804f	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Program Files\Java\jre-1.8\explorer.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\explorer.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Program Files\Windows Mail\WmiPrvSE.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCXA4E1.tmp	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Program Files\Windows Mail\5940a34987c991	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Program Files\Google\OfficeClickToRun.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Program Files\Windows Mail\dllhost.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Program Files\Google\e6c9b481da804f	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Program Files\Windows Mail\WmiPrvSE.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Program Files\Windows Mail\24dbde2999530e	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe

Drops file in Windows directory 30 IoCs

description	ioc	Process
File created	C:\Windows\uk-UA\csrss.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Windows\Offline Web Pages\upfc.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Windows\diagnostics\scheduled\Maintenance\de-DE\RuntimeBroker.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Windows\assembly\WaaSMedicAgent.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Windows\uk-UA\csrss.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Windows\Registration\unsecapp.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Windows\Web\4K\dllhost.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Windows\IME\IMEKR\HELP\SppExtComObj.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Windows\Web\4K\dllhost.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Windows\Downloaded Program Files\9e8d7a4ca61bd9	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Windows\assembly\WaaSMedicAgent.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Windows\uk-UA\886983d96e3d3e	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Windows\Downloaded Program Files\RuntimeBroker.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Windows\Registration\unsecapp.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Windows\assembly\c82b8037eab33d	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Windows\Downloaded Program Files\RuntimeBroker.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Windows\AppReadiness\explorer.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Windows\uk-UA\RCXA765.tmp	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Windows\Registration\29c1c3cc0f7685	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Windows\Web\4K\5940a34987c991	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Windows\Offline Web Pages\upfc.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Windows\Offline Web Pages\ea1d8f6d871115	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Windows\rescache\_merged\431186354\dllhost.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Windows\AppReadiness\7a0fd90576e088	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Windows\AppReadiness\RCXA23F.tmp	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Windows\AppReadiness\RCXA2BD.tmp	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Windows\IME\IMEKR\HELP\SppExtComObj.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Windows\IME\IMEKR\HELP\e1ef82546f0b02	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File created	C:\Windows\AppReadiness\explorer.exe	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
File opened for modification	C:\Windows\uk-UA\RCXA764.tmp	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
428	schtasks.exe
2056	schtasks.exe
2684	schtasks.exe
3732	schtasks.exe
428	schtasks.exe
4844	schtasks.exe
1936	schtasks.exe
2284	schtasks.exe
4548	schtasks.exe
432	schtasks.exe
2044	schtasks.exe
3128	schtasks.exe
2552	schtasks.exe
2604	schtasks.exe
3564	schtasks.exe
2976	schtasks.exe
2440	schtasks.exe
1864	schtasks.exe
2892	schtasks.exe
4716	schtasks.exe
3372	schtasks.exe
5052	schtasks.exe
2588	schtasks.exe
5100	schtasks.exe
3492	schtasks.exe
4372	schtasks.exe
2928	schtasks.exe
5000	schtasks.exe
2896	schtasks.exe
3152	schtasks.exe
3644	schtasks.exe
2112	schtasks.exe
2980	schtasks.exe
2776	schtasks.exe
2036	schtasks.exe
5040	schtasks.exe
1972	schtasks.exe
3156	schtasks.exe
1376	schtasks.exe
5108	schtasks.exe
4084	schtasks.exe
2600	schtasks.exe
1168	schtasks.exe
3024	schtasks.exe
4068	schtasks.exe
4736	schtasks.exe
2084	schtasks.exe
2452	schtasks.exe
2572	schtasks.exe
3392	schtasks.exe
3432	schtasks.exe
4876	schtasks.exe
1412	schtasks.exe
1324	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
736	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
3396	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
3396	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
3396	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
3396	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
3396	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
3396	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
3396	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
3396	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
3396	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
3396	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
3396	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
3396	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
840	unsecapp.exe
840	unsecapp.exe
840	unsecapp.exe
840	unsecapp.exe
840	unsecapp.exe
840	unsecapp.exe
840	unsecapp.exe
840	unsecapp.exe
840	unsecapp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
840	unsecapp.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	736	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
Token: SeDebugPrivilege	3396	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
Token: SeDebugPrivilege	840	unsecapp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 736 wrote to memory of 3540	736	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe	101
PID 736 wrote to memory of 3540	736	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe	101
PID 3540 wrote to memory of 4320	3540	cmd.exe	103
PID 3540 wrote to memory of 4320	3540	cmd.exe	103
PID 3540 wrote to memory of 3396	3540	cmd.exe	110
PID 3540 wrote to memory of 3396	3540	cmd.exe	110
PID 3396 wrote to memory of 4808	3396	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe	156
PID 3396 wrote to memory of 4808	3396	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe	156
PID 4808 wrote to memory of 4884	4808	cmd.exe	158
PID 4808 wrote to memory of 4884	4808	cmd.exe	158
PID 4808 wrote to memory of 840	4808	cmd.exe	160
PID 4808 wrote to memory of 840	4808	cmd.exe	160

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
"C:\Users\Admin\AppData\Local\Temp\820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe"
1⤵
- DcRat
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:736
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iKDvRnKw2P.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3540
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4320
- - C:\Users\Admin\AppData\Local\Temp\820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe
    "C:\Users\Admin\AppData\Local\Temp\820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:3396
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vQv3iUx6r8.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4808
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:4884
    - - C:\Windows\Registration\unsecapp.exe
        
        "C:\Windows\Registration\unsecapp.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\AppReadiness\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\AppReadiness\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\AppReadiness\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\StartMenuExperienceHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\uk-UA\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\uk-UA\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\uk-UA\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Windows\IME\IMEKR\HELP\SppExtComObj.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\IME\IMEKR\HELP\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Windows\IME\IMEKR\HELP\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Windows\Offline Web Pages\upfc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Windows\Offline Web Pages\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Windows\Registration\unsecapp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\Registration\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Windows\Registration\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\Web\4K\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Web\4K\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Web\4K\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\OfficeClickToRun.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Google\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Default\SendTo\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\SendTo\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\SendTo\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jre-1.8\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jre-1.8\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\Downloaded Program Files\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\Downloaded Program Files\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 5 /tr "'C:\Windows\assembly\WaaSMedicAgent.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Windows\assembly\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 10 /tr "'C:\Windows\assembly\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MSBuild\StartMenuExperienceHost.exe

Filesize
2.6MB

MD5
2ed6c47aba1cd6987bd77f3cb2a75893

SHA1
958f0f2e3d368de1b54d1135d7a5fc82248b4772

SHA256
86e653f1889516f821c932ccedddce16818f0403eed0279cf0308c8b04f23a83

SHA512
93cefce326e9406749fd7ec8076d2104c71d446452657e5db1b0a82a7df2934501846e1f71e77a5b40a5c714334f86557440519c2e14b46ba5b4d136aa3b81b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818N.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCX9E16.tmp

Filesize
2.6MB

MD5
70cc71e35134d51fc8146e37c5057870

SHA1
7711b99c61a69c022aeb74bca4e8f6514bd60318

SHA256
820cc4a2657103f6565b5bacf692152e3b437b263c5990d8b5786384e8f0c818

SHA512
030064056bf5d8e54024c8ea0471e70719294b4fe71165bdf811789a2419b9bf3f087d2e680db96cd0874a4e2859b7676a13d6c2bb41b0e89aaebc222dde8ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iKDvRnKw2P.bat

Filesize
268B

MD5
57da1aab3a092195f464940056b955c3

SHA1
8923e8b819e36a3575c68e54ed6868117bbf4968

SHA256
512edd8b6a106bfb37187cd3307eac389e020dbdbb2e385b70b36ecdba425b04

SHA512
0be7612906d850fb8048e5de13d42a7270b31a52137d80cb2e3b8910540efcd901cfe8f4f61c6f551d0897feb36237a2ee91337295fc9bd6f627a69ec5eb0345

Download Submit
C:\Users\Admin\AppData\Local\Temp\vQv3iUx6r8.bat

Filesize
201B

MD5
1a75c357782e24121762c296826d6f2e

SHA1
8ee4f787d2433611df15b527c629da6b0f18a905

SHA256
0754ba6ba6cc268cdcdb90b7347481d90637ccb05d8694cd81fe210a0d60d22e

SHA512
422cfe36850f22484acf3635dafe6efe9a892d63c6b8ed3f2617b64c2c3f4f54bc497f0c2c42f85186a0c103f7ed59553928ddc067335eaf46a30445272c469c

Download Submit
C:\Windows\AppReadiness\explorer.exe

Filesize
2.6MB

MD5
f5ba393393c44efdedf08b0899751fe1

SHA1
8b896231678a8ba8b4eed1d22b3a638293e8a330

SHA256
fb5376a0ee96c3dda42acc6d15aa21fca7b883bb34f647bccd18ae44bafa6b7c

SHA512
7f6bea6f35045607a6eb67d2c66d4996e26584bbe30bd3f37d462680f3af463a06e11f215404cb0cfcee870466c8f252295d40a05f5b9dcbf6fa82486a53bcb8

Download Submit
memory/736-8-0x0000000002FD0000-0x0000000002FE6000-memory.dmp

Filesize
88KB

Download
memory/736-15-0x000000001BB30000-0x000000001BB38000-memory.dmp

Filesize
32KB

Download
memory/736-10-0x0000000003000000-0x000000000300A000-memory.dmp

Filesize
40KB

Download
memory/736-7-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

Filesize
64KB

Download
memory/736-6-0x0000000002F40000-0x0000000002F48000-memory.dmp

Filesize
32KB

Download
memory/736-11-0x000000001C0E0000-0x000000001C136000-memory.dmp

Filesize
344KB

Download
memory/736-12-0x0000000003010000-0x0000000003018000-memory.dmp

Filesize
32KB

Download
memory/736-13-0x0000000003020000-0x0000000003032000-memory.dmp

Filesize
72KB

Download
memory/736-14-0x000000001CB10000-0x000000001D038000-memory.dmp

Filesize
5.2MB

Download
memory/736-17-0x000000001BB50000-0x000000001BB5C000-memory.dmp

Filesize
48KB

Download
memory/736-16-0x000000001BB40000-0x000000001BB48000-memory.dmp

Filesize
32KB

Download
memory/736-0-0x00007FF8BE393000-0x00007FF8BE395000-memory.dmp

Filesize
8KB

Download
memory/736-18-0x000000001BCC0000-0x000000001BCCE000-memory.dmp

Filesize
56KB

Download
memory/736-19-0x000000001C130000-0x000000001C13C000-memory.dmp

Filesize
48KB

Download
memory/736-20-0x000000001C140000-0x000000001C14A000-memory.dmp

Filesize
40KB

Download
memory/736-9-0x0000000002FF0000-0x0000000002FF8000-memory.dmp

Filesize
32KB

Download
memory/736-5-0x000000001BC70000-0x000000001BCC0000-memory.dmp

Filesize
320KB

Download
memory/736-4-0x0000000002FA0000-0x0000000002FBC000-memory.dmp

Filesize
112KB

Download
memory/736-85-0x00007FF8BE390000-0x00007FF8BEE51000-memory.dmp

Filesize
10.8MB

Download
memory/736-3-0x0000000001630000-0x000000000163E000-memory.dmp

Filesize
56KB

Download
memory/736-2-0x00007FF8BE390000-0x00007FF8BEE51000-memory.dmp

Filesize
10.8MB

Download
memory/736-1-0x0000000000BC0000-0x0000000000E68000-memory.dmp

Filesize
2.7MB

Download
memory/3396-89-0x000000001B8E0000-0x000000001B936000-memory.dmp

Filesize
344KB

Download