Analysis
-
max time kernel
148s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
24-11-2024 03:01
General
-
Target
181d043c0617914801548f09d5b776d4.exe
-
Size
1.4MB
-
MD5
181d043c0617914801548f09d5b776d4
-
SHA1
757f042065a3dc2c9f73e635b41f83591c8ad647
-
SHA256
501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad
-
SHA512
c56897c04b11db7c09ef21be8fe6a541c3c9ffb428b3e1340fce5b035f9f74bb133b57e7cc0852730efd20b4a49da0e8a79b6390f105d18f9fb39461559be574
-
SSDEEP
24576:6oIREGQw97lGTIYskQyxNtGSKERqWzAcqGv+3spCElJz009I+LU:gRdGcHkBxNYARdzAcqGv+cphlJzxV
Malware Config
Signatures
-
DcRat 41 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 13 IoCs
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 39 IoCs
-
DCRat payload 8 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Executes dropped EXE 12 IoCs
-
Adds Run key to start application 2 TTPs 24 IoCs
-
Checks whether UAC is enabled 1 TTPs 26 IoCs
-
Drops file in Program Files directory 7 IoCs
-
Drops file in Windows directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 39 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\181d043c0617914801548f09d5b776d4.exe"C:\Users\Admin\AppData\Local\Temp\181d043c0617914801548f09d5b776d4.exe"1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Vx3o3eVAfD.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Windows\DigitalLocker\services.exe"C:\Windows\DigitalLocker\services.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a0d729f-3523-4a90-a2bd-8a761333e0ac.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\DigitalLocker\services.exeC:\Windows\DigitalLocker\services.exe5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a659c74-ed39-4bc6-a3d3-cba31702cf6a.vbs"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\DigitalLocker\services.exeC:\Windows\DigitalLocker\services.exe7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8eb24e23-e891-4993-8f1d-a298249c5dab.vbs"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\DigitalLocker\services.exeC:\Windows\DigitalLocker\services.exe9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d48c6137-ee57-41aa-ba70-e273b7f49ecc.vbs"10⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\DigitalLocker\services.exeC:\Windows\DigitalLocker\services.exe11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cae73f29-c19f-4039-878b-6433e9a894ab.vbs"12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\DigitalLocker\services.exeC:\Windows\DigitalLocker\services.exe13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be4117eb-72b0-45f5-8d97-5d92b10456e7.vbs"14⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\DigitalLocker\services.exeC:\Windows\DigitalLocker\services.exe15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20b5aacb-c6ec-48cb-8db8-0ae1bbdcb1a7.vbs"16⤵
-
C:\Windows\DigitalLocker\services.exeC:\Windows\DigitalLocker\services.exe17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97ea8eb8-7967-465d-80c4-ef8b716c5802.vbs"18⤵
-
C:\Windows\DigitalLocker\services.exeC:\Windows\DigitalLocker\services.exe19⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c89c278-999a-46d1-a2f0-6db492679784.vbs"20⤵
-
C:\Windows\DigitalLocker\services.exeC:\Windows\DigitalLocker\services.exe21⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ce724db-8704-482d-9c35-9c0139e6c1fc.vbs"22⤵
-
C:\Windows\DigitalLocker\services.exeC:\Windows\DigitalLocker\services.exe23⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d61f9915-0f64-47ba-ac15-88c5094400e8.vbs"24⤵
-
C:\Windows\DigitalLocker\services.exeC:\Windows\DigitalLocker\services.exe25⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07f03248-33ea-4724-9e7c-8e016a7ee803.vbs"26⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d7a1996-a56f-42a9-8f7a-4d99386aa95f.vbs"26⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\662ab133-ed29-4625-ae47-6f48eaab961e.vbs"24⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47d5ef9c-cb8c-40ee-9efb-8ab1047940ed.vbs"22⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5bc6812-eee3-40a4-85b2-6ea5ee11fca6.vbs"20⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c0f49f5-b92f-42ec-97ab-f61eb15f7d49.vbs"18⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7be84dd3-1a31-47a4-aeef-97e43b877ddd.vbs"16⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ca269bf-8637-4b3d-90d9-81f9bca4140b.vbs"14⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\869cc073-f272-4e15-b973-e4fe0367ac1f.vbs"12⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dcb6ca7b-ba5b-468e-a6f2-58c517601655.vbs"10⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9e8d941-01b5-4fde-8f06-3543894dcf5c.vbs"8⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5b91688-dbe3-4fb3-9eb0-26ac4bb088ef.vbs"6⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16200d94-44b6-4cde-a331-d6de16faa7b4.vbs"4⤵
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\AppPatch\de-DE\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\AppPatch\de-DE\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\AppPatch\de-DE\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\DigitalLocker\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\DigitalLocker\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\taskhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "181d043c0617914801548f09d5b776d41" /sc MINUTE /mo 11 /tr "'C:\Windows\Globalization\181d043c0617914801548f09d5b776d4.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "181d043c0617914801548f09d5b776d4" /sc ONLOGON /tr "'C:\Windows\Globalization\181d043c0617914801548f09d5b776d4.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "181d043c0617914801548f09d5b776d41" /sc MINUTE /mo 5 /tr "'C:\Windows\Globalization\181d043c0617914801548f09d5b776d4.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Default\SendTo\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\SendTo\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Default\SendTo\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "181d043c0617914801548f09d5b776d41" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\WinSAT\181d043c0617914801548f09d5b776d4.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "181d043c0617914801548f09d5b776d4" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\181d043c0617914801548f09d5b776d4.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "181d043c0617914801548f09d5b776d41" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\WinSAT\181d043c0617914801548f09d5b776d4.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5181d043c0617914801548f09d5b776d4
SHA1757f042065a3dc2c9f73e635b41f83591c8ad647
SHA256501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad
SHA512c56897c04b11db7c09ef21be8fe6a541c3c9ffb428b3e1340fce5b035f9f74bb133b57e7cc0852730efd20b4a49da0e8a79b6390f105d18f9fb39461559be574
-
Filesize
713B
MD552b6d53b6804e780e738d4455ac58eff
SHA1132c286a4283d66635361e45edea2f8b6c32dd1f
SHA2563a69e3b989747aaa4bfc2beb19a59ab27531bdefd0977a762908272d342c4b36
SHA512755e578a371eda6fc92a57335fd318ee9f22b451c93c9a555b6fc9c689f66b9c5753f6a80935e0d366b4dd484189bee7ae7daa8060dc101f036d6ac18a92f0d1
-
Filesize
713B
MD5d9f99321a08a877e3e39994cee78d5d8
SHA171f3e854e7d4f977cb6d2deac7c8edf7b8f60370
SHA256fe42d0bc4388bab2cb4c887d01766c1eb3a5a8b21e3fe5923c2b22dec73d2a58
SHA51291a58e06df7e33b2ff4cd8a5e853c2240cc7ce302f65090bb3af5ee4fd117905475346a27c7056a88d9b0ae7e29ef95307acbb85fcfdbbbfe9f1ba4f9e4be7d7
-
Filesize
713B
MD5f4546b81a1dcbe4fd2d1236987a4ecfc
SHA1ed531ab65b4a7a5f749a5ce50f144800664c6933
SHA256d61f9d5472c716e7a34035b142f4c8defffff6fb91b342ce12156f1dbcc39d82
SHA512b197695e1ceb15b0b545fef3b9200a958dd4af76629286f83356484823f0b82bf2a5a1be5a6ea01aa6648e71a3a29670cca58814ce559fb24d856e61e7e34121
-
Filesize
489B
MD55009ea6d9d96a31b34a08473d768d8e8
SHA1a51bf6b206ab395359268de36acbaf5e2c279f86
SHA2568216c01d8dc4591b4394f42ec048121419f9042bc218a3f1ecd4d1cf19a3deff
SHA512e853e10e7288c60a533312436a468577cd0dbf74bb246faab327e2ecde4afafa01a99c810945f0bfbe5ff2dc3fea51bf61914bc654563e154577bc5fd2c1e430
-
Filesize
713B
MD5ebf710c8d962680769e895659b243ef2
SHA1b838fd36086ea48b876273f817723053950241b7
SHA25623c5c84f39b38d353fe8b9ddbaa0e0b45fddf0855ea5c977caa0a3aa4a30cd16
SHA5124d496db3cf8f5127487e84124e53634367676ef6467f7c890fe904f66646fbc0499c6ff1f6829f8574400f257994d74996c1b85b993ad09bffa0ce02d0629c44
-
Filesize
713B
MD55de5285cd599be03e0a51cffdace3b40
SHA187905a2c3ba7ec554ea994d61f3e2c71a74552e1
SHA256d7d17c04d8eeeebe1cf8e0c1f27854d6b116568aad2061d75b36fe13fa0354bb
SHA512fb6cd5ba94b394bad98cef8aeaf7ad6f45198dee785172dc332f87103b469fe88224a95351681bedba92b43fa97f5b04a0d1b92efd5a0bdc881f60a0a7b479ff
-
Filesize
712B
MD5ab6b6b58a193cffed51d3011c1d6c483
SHA19b499bf4470b2912572971a98ccf1651462b15fa
SHA256b2ee7d05988109e5b754571f38d0290e5b44740d90c91b733c69681a042e9570
SHA5123b5bd6a326881162d997f7705a8e02acb14d05762c2294c10eacf73dc07875b7ce782f04a25827ba519c14a2a569400ed95118b2575788835b5fd9b526fefa1b
-
Filesize
713B
MD56412e4fc6e7b53e58ddd39fc11afd717
SHA1de2fef810110760c4235a5cb19e3256368f2cde2
SHA2565f80dc5f95f887e733b99738600e29e8289ec266efebc405185210658637c0e2
SHA512b9ff74e68e3d9dfb5b835d30f15d5b7303b06f21de41519d60d3b7d823985ee95c165d4cd6c6808809749b972452a8727a238d654e9045f6a139f1a14d3d4c20
-
Filesize
712B
MD5464a61f00bcbddabf8b44bf7279dfa61
SHA1e1594adc632963a9eca37693537411b3c856b971
SHA256ae829efd74116013faf33c67683013356259e048d85a3df1ae39758eb2e4aa9c
SHA512fb08e857475f68d56c85d23405e10b4cf4e0c2414fe7dbc0e5ce49d97a1622071fa68c066fb94da5977fd0ef04ce17e81e80fc6af08d9ec3e98af0c5b4f11b0e
-
Filesize
202B
MD5eb4af045bc625aea65d25eb6fc3e0310
SHA1289e909e79e661fa77c5ec61a8a0d0bfbf9a9269
SHA256a61771b61c6081e495f5b402ee5ed0726823f3979f99b108b0314e159c0bc909
SHA512a2f5a3e6087470dfcb61818c0f99ce582b114f8d0276ed9e13aac91229b0314de31887e1c91e530b3368cdc8b91627782a62cd36fb9d891547c0c368bc6ead08
-
Filesize
713B
MD5694c15dfee2b7117260a44fb1830b049
SHA119a463a9e1fbf91bad4d60dc5e44a0e6466ed551
SHA256f1ea6651018afe114c440e58c5ed5da4afb366eaf2b72925eec997e637bb5580
SHA512f77263bf04cc982d44969e316df08846251fb6c47b2a2f773a2978d5f75b13905a73ba6cb93a81b85bfe0bdb85cadcdd33acba822587ea18ff603fb8a5b54591
-
Filesize
713B
MD5b558a3ab82db17adb47c5e6031ba93e4
SHA101b17220d9f8efcb9c4e8f3de9913f916fc81fcc
SHA25647edaa357aa538389c9239e65ed57ef18b1a01ed1002bf8bb351eabe636bdefc
SHA5124b6dd9efecb9551688a8fc051bf4248a85eb55a509e121dcec44e610af4c60625f099480b7371110b9faee9e822eddb9ab08a68b110561762328b9ee8bed617a
-
Filesize
713B
MD51d671c541e97e0e060ba9750787234c8
SHA13a24f1b6da14f49ca60f631765b49b38fb0d7914
SHA2568f2fc9b611dabf75118f9aa91bac50ec1f2305bf2ea4b5fcbffaa620a4dbb561
SHA5123406df0d158977f80906fb68aa747fae5ab0e6a344f8bd127a46db3bf35b14c4416c93a0e287cc44fd4cd28168df3a2e69371a5e2e40a9fa282871bc03737917
-
Filesize
713B
MD5bebbd5c11a0eaa6adfa3381614c3872f
SHA1e9a2f79ada9b56375732735703f6487fd0e4d17f
SHA256790eb95f25b1591aa89fd64cf8037cb7956ec6b8939b2b93636432011231aab7
SHA5128766ae92a26b216c7a3a3934a1eb51a0cdf115f53a0362cda8cdfcf8753e99ae296b3b91a93d257e7ae0a1c20b3ac1f27a93229fdb59a3afb3764169a91ff30f
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
1.4MB
-
Filesize
9.9MB
-
Filesize
56KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
9.9MB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
112KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB