dcrat | c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c

General

Target

c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Size

1.1MB
MD5

47ca2bfa2766ff45af97abbd85cd2e6d
SHA1

248680da6aad01e8416e19ed8666ba5462de3bd3
SHA256

c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c
SHA512

60c2f234538bc55b739f7f8131ef1efe00a77cc42c5647e93c93b9408c89c1c9c20b7bfccd01e9aa84a39bb2e7c096c8b89fdf415c402b74927b7320902c44de
SSDEEP

24576:AMYPCI+q+U4cIG409ozWucypk1Nd4AX+iB/YjuM6kyh+W:ABPZ0Kr1FXHB/guM6k+f

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 24 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

pid	Process
2792	schtasks.exe
1104	schtasks.exe
2680	schtasks.exe
1616	schtasks.exe
2804	schtasks.exe
2364	schtasks.exe
2944	schtasks.exe
2892	schtasks.exe
3056	schtasks.exe
1192	schtasks.exe
2920	schtasks.exe
1868	schtasks.exe
1152	schtasks.exe
2980	schtasks.exe
2768	schtasks.exe
2928	schtasks.exe
2996	schtasks.exe
2676	schtasks.exe
2860	schtasks.exe
1980	schtasks.exe
2684	schtasks.exe
320	schtasks.exe
2080	schtasks.exe
3016	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Mail\\ja-JP\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\explorer.exe\", \"C:\\Users\\Default User\\OSPPSVC.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Mail\\ja-JP\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\explorer.exe\", \"C:\\Users\\Default User\\OSPPSVC.exe\", \"C:\\Users\\Default User\\sppsvc.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Mail\\ja-JP\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\explorer.exe\", \"C:\\Users\\Default User\\OSPPSVC.exe\", \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Users\\All Users\\Package Cache\\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\\packages\\vcRuntimeAdditional_amd64\\csrss.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\WmiPrvSE.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Mail\\ja-JP\\dwm.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Mail\\ja-JP\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\csrss.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Mail\\ja-JP\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\WmiPrvSE.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Mail\\ja-JP\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\explorer.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2432	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2432	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2432	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	2432	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2432	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2432	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2432	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2432	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2432	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2432	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2432	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	2432	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2432	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2432	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2432	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2432	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2432	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2432	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2432	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2432	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2432	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2432	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2432	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2432	schtasks.exe	31

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2280-1-0x00000000008C0000-0x00000000009EE000-memory.dmp	dcrat
behavioral1/files/0x000500000001950f-15.dat	dcrat
behavioral1/memory/2476-30-0x0000000000040000-0x000000000016E000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2476	csrss.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\WmiPrvSE.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Windows Mail\\ja-JP\\dwm.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\WmiPrvSE.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Users\\Default User\\OSPPSVC.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Users\\Default User\\OSPPSVC.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\All Users\\Package Cache\\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\\packages\\vcRuntimeAdditional_amd64\\csrss.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Windows Mail\\ja-JP\\dwm.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\WmiPrvSE.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\All Users\\Package Cache\\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\\packages\\vcRuntimeAdditional_amd64\\csrss.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\csrss.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\explorer.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\explorer.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default User\\sppsvc.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default User\\sppsvc.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\WmiPrvSE.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\csrss.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\ja-JP\6cb0b6c459d5d3	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\explorer.exe	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\7a0fd90576e088	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
File created	C:\Program Files\Windows Mail\ja-JP\dwm.exe	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\diagnostics\index\taskhost.exe	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2768	schtasks.exe
1192	schtasks.exe
2928	schtasks.exe
2996	schtasks.exe
2792	schtasks.exe
2980	schtasks.exe
2892	schtasks.exe
3056	schtasks.exe
320	schtasks.exe
3016	schtasks.exe
1152	schtasks.exe
2364	schtasks.exe
2920	schtasks.exe
1104	schtasks.exe
1616	schtasks.exe
1980	schtasks.exe
2860	schtasks.exe
2944	schtasks.exe
2676	schtasks.exe
2684	schtasks.exe
2080	schtasks.exe
2680	schtasks.exe
2804	schtasks.exe
1868	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2280	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
2280	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
2280	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
2280	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
2280	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
2280	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
2280	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
2476	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2280	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Token: SeDebugPrivilege	2476	csrss.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2476	2280	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe	56
PID 2280 wrote to memory of 2476	2280	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe	56
PID 2280 wrote to memory of 2476	2280	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe	56

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
"C:\Users\Admin\AppData\Local\Temp\c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280
- C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe
  "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\ja-JP\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\ja-JP\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\ja-JP\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\Accessories\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\Accessories\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows NT\Accessories\explorer.exe

Filesize
1.1MB

MD5
47ca2bfa2766ff45af97abbd85cd2e6d

SHA1
248680da6aad01e8416e19ed8666ba5462de3bd3

SHA256
c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c

SHA512
60c2f234538bc55b739f7f8131ef1efe00a77cc42c5647e93c93b9408c89c1c9c20b7bfccd01e9aa84a39bb2e7c096c8b89fdf415c402b74927b7320902c44de

Download Submit
memory/2280-0-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp

Filesize
4KB

Download
memory/2280-1-0x00000000008C0000-0x00000000009EE000-memory.dmp

Filesize
1.2MB

Download
memory/2280-2-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/2280-3-0x0000000000350000-0x000000000036C000-memory.dmp

Filesize
112KB

Download
memory/2280-4-0x0000000000370000-0x0000000000382000-memory.dmp

Filesize
72KB

Download
memory/2280-5-0x0000000000490000-0x000000000049E000-memory.dmp

Filesize
56KB

Download
memory/2280-6-0x0000000000520000-0x0000000000528000-memory.dmp

Filesize
32KB

Download
memory/2280-31-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/2476-30-0x0000000000040000-0x000000000016E000-memory.dmp

Filesize
1.2MB

Download
memory/2476-32-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads