dcrat | 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d

General

Target

93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe
Size

1.1MB
MD5

a4ea523b57cc90848732ee08117646d0
SHA1

a9706d93616af18f00027c6d9c29b6b877497c1e
SHA256

93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d
SHA512

b280ef14615e5ebd8aece055c6a1eed253a68b47c26df4e92ed16df054db86d838495056806ff87893e04717e939983aae05dcf4c90eb1c5d2176728a0716a05
SSDEEP

24576:AMYPCI+q+U4cIG409ozWucypk1Nd4AX+iB/YjuM6kyh+i:ABPZ0Kr1FXHB/guM6k+V

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 24 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

pid	Process
2136	schtasks.exe
2876	schtasks.exe
2528	schtasks.exe
2800	schtasks.exe
2352	schtasks.exe
1496	schtasks.exe
2632	schtasks.exe
1780	schtasks.exe
1596	schtasks.exe
948	schtasks.exe
1836	schtasks.exe
744	schtasks.exe
2812	schtasks.exe
2376	schtasks.exe
2748	schtasks.exe
1504	schtasks.exe
1804	schtasks.exe
1636	schtasks.exe
372	schtasks.exe
3004	schtasks.exe
2440	schtasks.exe
1992	schtasks.exe
2084	schtasks.exe
1564	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\lsm.exe\""	93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\lsm.exe\", \"C:\\Windows\\Migration\\WTR\\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe\""	93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\lsm.exe\", \"C:\\Windows\\Migration\\WTR\\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\OSPPSVC.exe\""	93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\lsm.exe\", \"C:\\Windows\\Migration\\WTR\\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\OSPPSVC.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\WmiPrvSE.exe\""	93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\lsm.exe\", \"C:\\Windows\\Migration\\WTR\\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\OSPPSVC.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\SendTo\\Idle.exe\""	93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\lsm.exe\", \"C:\\Windows\\Migration\\WTR\\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\OSPPSVC.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\SendTo\\Idle.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\services.exe\""	93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\lsm.exe\", \"C:\\Windows\\Migration\\WTR\\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\OSPPSVC.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\SendTo\\Idle.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\services.exe\", \"C:\\Program Files\\Java\\jre7\\bin\\plugin2\\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe\""	93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\lsm.exe\", \"C:\\Windows\\Migration\\WTR\\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\OSPPSVC.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\SendTo\\Idle.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\services.exe\", \"C:\\Program Files\\Java\\jre7\\bin\\plugin2\\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\WmiPrvSE.exe\""	93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2672	schtasks.exe	30

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/3064-1-0x0000000000AA0000-0x0000000000BCE000-memory.dmp	dcrat
behavioral1/files/0x0005000000019537-15.dat	dcrat
behavioral1/memory/2168-32-0x00000000001B0000-0x00000000002DE000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2168	Idle.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\OSPPSVC.exe\""	93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Admin\\SendTo\\Idle.exe\""	93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Admin\\SendTo\\Idle.exe\""	93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN = "\"C:\\Program Files\\Java\\jre7\\bin\\plugin2\\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe\""	93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Windows Portable Devices\\WmiPrvSE.exe\""	93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\WmiPrvSE.exe\""	93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\services.exe\""	93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN = "\"C:\\Program Files\\Java\\jre7\\bin\\plugin2\\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe\""	93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\services.exe\""	93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\lsm.exe\""	93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\lsm.exe\""	93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN = "\"C:\\Windows\\Migration\\WTR\\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe\""	93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\OSPPSVC.exe\""	93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\WmiPrvSE.exe\""	93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN = "\"C:\\Windows\\Migration\\WTR\\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe\""	93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Windows Portable Devices\\WmiPrvSE.exe\""	93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre7\bin\plugin2\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe	93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe
File created	C:\Program Files\Java\jre7\bin\plugin2\d2db3cacc0c323	93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe
File created	C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe	93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe
File created	C:\Program Files (x86)\Windows Portable Devices\24dbde2999530e	93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Migration\WTR\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe	93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe
File created	C:\Windows\Migration\WTR\d2db3cacc0c323	93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2440	schtasks.exe
372	schtasks.exe
1496	schtasks.exe
2748	schtasks.exe
1804	schtasks.exe
3004	schtasks.exe
2376	schtasks.exe
2084	schtasks.exe
1596	schtasks.exe
1836	schtasks.exe
2812	schtasks.exe
2876	schtasks.exe
2632	schtasks.exe
1992	schtasks.exe
2136	schtasks.exe
1564	schtasks.exe
744	schtasks.exe
2352	schtasks.exe
2800	schtasks.exe
1780	schtasks.exe
1636	schtasks.exe
948	schtasks.exe
2528	schtasks.exe
1504	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3064	93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe
2168	Idle.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3064	93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe
Token: SeDebugPrivilege	2168	Idle.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2348	3064	93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe	55
PID 3064 wrote to memory of 2348	3064	93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe	55
PID 3064 wrote to memory of 2348	3064	93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe	55
PID 2348 wrote to memory of 2356	2348	cmd.exe	57
PID 2348 wrote to memory of 2356	2348	cmd.exe	57
PID 2348 wrote to memory of 2356	2348	cmd.exe	57
PID 2348 wrote to memory of 2168	2348	cmd.exe	58
PID 2348 wrote to memory of 2168	2348	cmd.exe	58
PID 2348 wrote to memory of 2168	2348	cmd.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe
"C:\Users\Admin\AppData\Local\Temp\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Lohe5CmuHk.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2356
- - C:\Users\Admin\SendTo\Idle.exe
    "C:\Users\Admin\SendTo\Idle.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN9" /sc MINUTE /mo 13 /tr "'C:\Windows\Migration\WTR\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN9" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\SendTo\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\SendTo\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN9" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jre7\bin\plugin2\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\plugin2\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN9" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jre7\bin\plugin2\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1dN.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Lohe5CmuHk.bat

Filesize
195B

MD5
3dd6a00bab6340db6924a3d02ff70273

SHA1
570268f726e362bfdd9c15924a16f06a6fb96a09

SHA256
88c5b47d2f3324ead64b3d742932cb68d66a941e1769cb9fb9b234ab624282d4

SHA512
86ace738ae4d63312cdfd347b2d01326f2d39249c447e5cabd049cee1738614782dd72fafd7c7a09123161620a733954bce119e443d7640591344917ff035032

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Idle.exe

Filesize
1.1MB

MD5
a4ea523b57cc90848732ee08117646d0

SHA1
a9706d93616af18f00027c6d9c29b6b877497c1e

SHA256
93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d

SHA512
b280ef14615e5ebd8aece055c6a1eed253a68b47c26df4e92ed16df054db86d838495056806ff87893e04717e939983aae05dcf4c90eb1c5d2176728a0716a05

Download Submit
memory/2168-32-0x00000000001B0000-0x00000000002DE000-memory.dmp

Filesize
1.2MB

Download
memory/3064-0-0x000007FEF5683000-0x000007FEF5684000-memory.dmp

Filesize
4KB

Download
memory/3064-1-0x0000000000AA0000-0x0000000000BCE000-memory.dmp

Filesize
1.2MB

Download
memory/3064-2-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

Filesize
9.9MB

Download
memory/3064-3-0x00000000002C0000-0x00000000002DC000-memory.dmp

Filesize
112KB

Download
memory/3064-4-0x00000000002F0000-0x0000000000302000-memory.dmp

Filesize
72KB

Download
memory/3064-6-0x0000000000A50000-0x0000000000A58000-memory.dmp

Filesize
32KB

Download
memory/3064-5-0x0000000000300000-0x000000000030E000-memory.dmp

Filesize
56KB

Download
memory/3064-29-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads