dcrat | addb6ddd0caa7af8df2241c7e80363a4efaf9a5b5fb58ee68f56ba9df251e54e

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-11-2024 09:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a13996ce9ec70db775df5ee1c34792a4_JaffaCakes118.exe
Size

2.3MB
MD5

a13996ce9ec70db775df5ee1c34792a4
SHA1

878ddbd0fe9445f90b4a968eabb801d34eea16a6
SHA256

addb6ddd0caa7af8df2241c7e80363a4efaf9a5b5fb58ee68f56ba9df251e54e
SHA512

6f7b32a1406973bf32902155f27a347dd46fe3022452a73a53218deb82bce940f89e70ebf90e8dfa084054bacc0306c45cc9c36b1b4ea6b9d6d0142c24dc274f
SSDEEP

49152:UbA30lmiYKzpT/IcR6Miss6OjdNXwVzZA/zY7o0VL:UbFYKzpT/76Miss6OwZ0zY7rVL

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat 15 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2636	schtasks.exe
		2044	schtasks.exe
		1592	schtasks.exe
		2316	schtasks.exe
		3024	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language		a13996ce9ec70db775df5ee1c34792a4_JaffaCakes118.exe
		1672	schtasks.exe
		2972	schtasks.exe
		2232	schtasks.exe
		2384	schtasks.exe
		1796	schtasks.exe
		1028	schtasks.exe
		2960	schtasks.exe
		1056	schtasks.exe
		1296	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 14 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2616	schtasks.exe	35

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0006000000019284-10.dat	dcrat
behavioral1/memory/2840-13-0x0000000000350000-0x000000000055E000-memory.dmp	dcrat
behavioral1/memory/2424-33-0x0000000000AF0000-0x0000000000CFE000-memory.dmp	dcrat
behavioral1/memory/2492-59-0x0000000000320000-0x000000000052E000-memory.dmp	dcrat

Executes dropped EXE 3 IoCs

pid	Process
2840	driverruntimereviewwinbroker.exe
2424	driverruntimereviewwinbroker.exe
2492	lsm.exe

Loads dropped DLL 2 IoCs

pid	Process
2704	cmd.exe
2704	cmd.exe

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\driverruntime\\dwm.exe\""	driverruntimereviewwinbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MSOCache\\All Users\\lsass.exe\""	driverruntimereviewwinbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\wpdcomp\\WmiPrvSE.exe\""	driverruntimereviewwinbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\inetcomm\\lsm.exe\""	driverruntimereviewwinbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\driverruntime\\audiodg.exe\""	driverruntimereviewwinbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\fthsvc\\lsm.exe\""	driverruntimereviewwinbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Windows Portable Devices\\lsm.exe\""	driverruntimereviewwinbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\ProgramData\\Microsoft\\Windows\\Sqm\\Upload\\dwm.exe\""	driverruntimereviewwinbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\klist\\csrss.exe\""	driverruntimereviewwinbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\msiprov\\WmiPrvSE.exe\""	driverruntimereviewwinbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\dssec\\taskhost.exe\""	driverruntimereviewwinbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\NlsData0009\\spoolsv.exe\""	driverruntimereviewwinbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI\\OSPPSVC.exe\""	driverruntimereviewwinbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Windows\\Downloaded Program Files\\OSPPSVC.exe\""	driverruntimereviewwinbroker.exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File created	C:\Windows\System32\klist\csrss.exe	driverruntimereviewwinbroker.exe
File created	C:\Windows\System32\klist\886983d96e3d3e31032c679b2d4ea91b6c05afef	driverruntimereviewwinbroker.exe
File created	C:\Windows\System32\fthsvc\lsm.exe	driverruntimereviewwinbroker.exe
File created	C:\Windows\System32\NlsData0009\spoolsv.exe	driverruntimereviewwinbroker.exe
File created	C:\Windows\System32\wbem\wpdcomp\24dbde2999530ef5fd907494bc374d663924116c	driverruntimereviewwinbroker.exe
File created	C:\Windows\System32\wbem\msiprov\WmiPrvSE.exe	driverruntimereviewwinbroker.exe
File created	C:\Windows\System32\dssec\taskhost.exe	driverruntimereviewwinbroker.exe
File opened for modification	C:\Windows\System32\NlsData0009\spoolsv.exe	driverruntimereviewwinbroker.exe
File created	C:\Windows\System32\NlsData0009\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4	driverruntimereviewwinbroker.exe
File created	C:\Windows\System32\inetcomm\lsm.exe	driverruntimereviewwinbroker.exe
File created	C:\Windows\System32\inetcomm\101b941d020240259ca4912829b53995ad543df6	driverruntimereviewwinbroker.exe
File created	C:\Windows\System32\dssec\b75386f1303e64d8139363b71e44ac16341adf4e	driverruntimereviewwinbroker.exe
File created	C:\Windows\System32\wbem\wpdcomp\WmiPrvSE.exe	driverruntimereviewwinbroker.exe
File opened for modification	C:\Windows\System32\klist\csrss.exe	driverruntimereviewwinbroker.exe
File created	C:\Windows\System32\fthsvc\101b941d020240259ca4912829b53995ad543df6	driverruntimereviewwinbroker.exe
File created	C:\Windows\System32\wbem\msiprov\24dbde2999530ef5fd907494bc374d663924116c	driverruntimereviewwinbroker.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI\1610b97d3ab4a74cd8ae104b51bea7bfcc5b9c6f	driverruntimereviewwinbroker.exe
File created	C:\Program Files (x86)\Windows Portable Devices\lsm.exe	driverruntimereviewwinbroker.exe
File created	C:\Program Files (x86)\Windows Portable Devices\101b941d020240259ca4912829b53995ad543df6	driverruntimereviewwinbroker.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI\OSPPSVC.exe	driverruntimereviewwinbroker.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Downloaded Program Files\OSPPSVC.exe	driverruntimereviewwinbroker.exe
File created	C:\Windows\Downloaded Program Files\1610b97d3ab4a74cd8ae104b51bea7bfcc5b9c6f	driverruntimereviewwinbroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a13996ce9ec70db775df5ee1c34792a4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1028	schtasks.exe
2636	schtasks.exe
1296	schtasks.exe
1796	schtasks.exe
2316	schtasks.exe
2384	schtasks.exe
2232	schtasks.exe
3024	schtasks.exe
2960	schtasks.exe
1056	schtasks.exe
2044	schtasks.exe
1592	schtasks.exe
1672	schtasks.exe
2972	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2840	driverruntimereviewwinbroker.exe
2424	driverruntimereviewwinbroker.exe
2492	lsm.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2840	driverruntimereviewwinbroker.exe
Token: SeDebugPrivilege	2424	driverruntimereviewwinbroker.exe
Token: SeDebugPrivilege	2492	lsm.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2888	2648	a13996ce9ec70db775df5ee1c34792a4_JaffaCakes118.exe	31
PID 2648 wrote to memory of 2888	2648	a13996ce9ec70db775df5ee1c34792a4_JaffaCakes118.exe	31
PID 2648 wrote to memory of 2888	2648	a13996ce9ec70db775df5ee1c34792a4_JaffaCakes118.exe	31
PID 2648 wrote to memory of 2888	2648	a13996ce9ec70db775df5ee1c34792a4_JaffaCakes118.exe	31
PID 2888 wrote to memory of 2704	2888	WScript.exe	32
PID 2888 wrote to memory of 2704	2888	WScript.exe	32
PID 2888 wrote to memory of 2704	2888	WScript.exe	32
PID 2888 wrote to memory of 2704	2888	WScript.exe	32
PID 2704 wrote to memory of 2840	2704	cmd.exe	34
PID 2704 wrote to memory of 2840	2704	cmd.exe	34
PID 2704 wrote to memory of 2840	2704	cmd.exe	34
PID 2704 wrote to memory of 2840	2704	cmd.exe	34
PID 2840 wrote to memory of 1396	2840	driverruntimereviewwinbroker.exe	42
PID 2840 wrote to memory of 1396	2840	driverruntimereviewwinbroker.exe	42
PID 2840 wrote to memory of 1396	2840	driverruntimereviewwinbroker.exe	42
PID 1396 wrote to memory of 1508	1396	cmd.exe	44
PID 1396 wrote to memory of 1508	1396	cmd.exe	44
PID 1396 wrote to memory of 1508	1396	cmd.exe	44
PID 1396 wrote to memory of 1248	1396	cmd.exe	45
PID 1396 wrote to memory of 1248	1396	cmd.exe	45
PID 1396 wrote to memory of 1248	1396	cmd.exe	45
PID 1396 wrote to memory of 2424	1396	cmd.exe	46
PID 1396 wrote to memory of 2424	1396	cmd.exe	46
PID 1396 wrote to memory of 2424	1396	cmd.exe	46
PID 2424 wrote to memory of 2188	2424	driverruntimereviewwinbroker.exe	55
PID 2424 wrote to memory of 2188	2424	driverruntimereviewwinbroker.exe	55
PID 2424 wrote to memory of 2188	2424	driverruntimereviewwinbroker.exe	55
PID 2188 wrote to memory of 1348	2188	cmd.exe	57
PID 2188 wrote to memory of 1348	2188	cmd.exe	57
PID 2188 wrote to memory of 1348	2188	cmd.exe	57
PID 2188 wrote to memory of 1596	2188	cmd.exe	58
PID 2188 wrote to memory of 1596	2188	cmd.exe	58
PID 2188 wrote to memory of 1596	2188	cmd.exe	58
PID 2188 wrote to memory of 2492	2188	cmd.exe	59
PID 2188 wrote to memory of 2492	2188	cmd.exe	59
PID 2188 wrote to memory of 2492	2188	cmd.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a13996ce9ec70db775df5ee1c34792a4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a13996ce9ec70db775df5ee1c34792a4_JaffaCakes118.exe"
1⤵
- DcRat
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\driverruntime\kGegedvmnVxWQ7.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\driverruntime\E5Fjb70.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\driverruntime\driverruntimereviewwinbroker.exe
      "C:\driverruntime\driverruntimereviewwinbroker.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\og0ngIz9oG.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1396
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1508
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1248
      - C:\driverruntime\driverruntimereviewwinbroker.exe
        
        "C:\driverruntime\driverruntimereviewwinbroker.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LkMLmjTFkc.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1348
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1596
        
        C:\Windows\System32\fthsvc\lsm.exe
        
        "C:\Windows\System32\fthsvc\lsm.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\NlsData0009\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\ProgramData\Microsoft\Windows\Sqm\Upload\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\wpdcomp\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\klist\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\fthsvc\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\inetcomm\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\driverruntime\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\msiprov\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\dssec\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\driverruntime\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\329bf01e4b0e4458370fd3022fe99861a5ba705170752275a81a34455c08959e974be109771822c5

Filesize
504B

MD5
d07e632311ce77770666844d4d12c3b8

SHA1
fe92b7c14801538d7c7fa62ce600bfcf5bc5b71d

SHA256
de3911abc17a9f5cdffd6cd29a4d6a6883195a82889ad5758b04f3154e5a9ced

SHA512
30ee633a67b369fd7a3dace3857a11434d4768ba64036b1e4a4fbe044c020b18adb27d328daa0b388b8669c1ccae9c23db6dc26af24ecbd100a673ad17149007

Download Submit
C:\Users\Admin\AppData\Local\Temp\LkMLmjTFkc.bat

Filesize
210B

MD5
203962a56d654d4e139296812bf61433

SHA1
d571a0abc54adb5f50c680eeae795925f38189cc

SHA256
4a6fb6519fd31f4774c03dcaa37139e9a995df593813c89d2156fc908643b37b

SHA512
a0dc56dafd6bdf5935e0508c74036ede9d5ae68b18001439decab0238a267d30dd043c48c8d2b9f0eda58997bc3ad592a8f1b244abcb9af35da18f87b0d07ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\og0ngIz9oG.bat

Filesize
225B

MD5
2beb408367b0413b74c675ec24fb2786

SHA1
dbce48cc69569931c1ffb438398f41300b575430

SHA256
b9811d2ef8ff28a67b88cd71003852b81c00a101bbff0b65865c76087643504e

SHA512
533c82e9bb9e0c5ab91b34ccc41717cfbe7cc12d9914d94176ec68bef61da400c8c084056a3b0cd54321098b8c53c93091a299534ae677892c467b9bbb45d722

Download Submit
C:\driverruntime\E5Fjb70.bat

Filesize
51B

MD5
eaa874ab241fd40826c737c1a3b0f3df

SHA1
f2f41d0951603bf869076eae8c0d98a11a44c297

SHA256
3f0b3977d065cc7ec8939745001b7dc67cfc3f34b7e87e1d54478e6e213fa82f

SHA512
4956b8bb8baa3f64ca0436a6974f719e656afb1b520dcd40eb6242eaba52d4031fe50e1eaf24db51925d28aaad4e52f3b61c2969d356703b1729c2be72b50913

Download Submit
C:\driverruntime\driverruntimereviewwinbroker.exe

Filesize
2.0MB

MD5
809f43c8c299a2a92ed90b1219bc65cd

SHA1
bba32b8296f00bb6cb296e964bcf6e73e143960f

SHA256
be64d2d039a35aabc97ce277fa748c50ecf2ca6a622bc9421f966cd4497575ba

SHA512
43f5aabe4ef8039aec9ffe7f05c5f6e235e781090651b7a6d71201e4407bf065e4b9c9b604c28dc3087003acb1f9d686a99fc95d7ceed18c5e7d45a43512e065

Download Submit
C:\driverruntime\kGegedvmnVxWQ7.vbe

Filesize
197B

MD5
6903e32ae281e0929a77ca0339c585b7

SHA1
f4a28ed3827b4d1fe6ff42909fd2f7203757e0b9

SHA256
251069df82e17fb9d7c769958e87940b998cd0466569fc12f1ace1016d369b84

SHA512
942f37450e56ddf350b365d3efaf554ad0cfa04db97e3c1906a707ca2877453f2d390c5c455b650158db6d3c9b8862ea1aca21f00188a842768b4dab1080e8aa

Download Submit
memory/2424-33-0x0000000000AF0000-0x0000000000CFE000-memory.dmp

Filesize
2.1MB

Download
memory/2492-60-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/2492-59-0x0000000000320000-0x000000000052E000-memory.dmp

Filesize
2.1MB

Download
memory/2492-61-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/2492-62-0x0000000000630000-0x0000000000686000-memory.dmp

Filesize
344KB

Download
memory/2492-63-0x0000000000690000-0x000000000069A000-memory.dmp

Filesize
40KB

Download
memory/2840-13-0x0000000000350000-0x000000000055E000-memory.dmp

Filesize
2.1MB

Download