dcrat | 81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7

General

Target

81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe
Size

2.7MB
MD5

7e97e05bf0649b2ff41dfafaae0af73a
SHA1

0b7089e9d951281935559e908ae42b54ebdebd41
SHA256

81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7
SHA512

a5748b673c4b4c45228b4e31fab96b8f2db079a221b96143612b30710e8d068cfe1bf8221ffddf1002b074e1f80dfc2f7db824a98a09c97c26c7597b0531d00b
SSDEEP

49152:sDkZWCF2T8juUND4YQxZzfllulb0fnyN27mEGnjYEhQ+QK:N4CF2sjELplCbmyN27PxEhQ+

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3112	3520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	3520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	3520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3384	3520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	3520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	3520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	3520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	3520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	3520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	3520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3716	3520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	3520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	3520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	3520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	3520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	3520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	3520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	3520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3312	3520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3784	3520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	3520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3388	3520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	3520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	3520	schtasks.exe	83

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3012-1-0x0000000000160000-0x0000000000414000-memory.dmp	dcrat
behavioral2/files/0x0007000000023c8e-30.dat	dcrat
behavioral2/files/0x0008000000023c86-86.dat	dcrat
behavioral2/files/0x0009000000023c8a-97.dat	dcrat
behavioral2/files/0x000a000000023c8e-119.dat	dcrat
behavioral2/files/0x0009000000023c92-130.dat	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe

Executes dropped EXE 1 IoCs

pid	Process
3496	wininit.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\29c1c3cc0f7685	81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\RCX981E.tmp	81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\wininit.exe	81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\System.exe	81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe
File created	C:\Program Files\WindowsPowerShell\Modules\56085415360792	81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\RCX981D.tmp	81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe
File opened for modification	C:\Program Files\Windows NT\unsecapp.exe	81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe
File created	C:\Program Files\WindowsPowerShell\Modules\wininit.exe	81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\27d1bcfc3c54e0	81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe
File opened for modification	C:\Program Files\Windows NT\RCX9CB5.tmp	81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe
File opened for modification	C:\Program Files\Windows NT\RCX9D33.tmp	81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\RCXA538.tmp	81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe
File created	C:\Program Files\Windows NT\unsecapp.exe	81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\RCXA4BA.tmp	81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\System.exe	81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\security\templates\dwm.exe	81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe
File created	C:\Windows\security\templates\6cb0b6c459d5d3	81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe
File created	C:\Windows\LiveKernelReports\RuntimeBroker.exe	81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe
File opened for modification	C:\Windows\security\templates\RCX9608.tmp	81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe
File opened for modification	C:\Windows\LiveKernelReports\RCX9FF4.tmp	81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe
File opened for modification	C:\Windows\security\templates\dwm.exe	81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe
File created	C:\Windows\LiveKernelReports\9e8d7a4ca61bd9	81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe
File opened for modification	C:\Windows\security\templates\RCX9609.tmp	81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe
File opened for modification	C:\Windows\LiveKernelReports\RCX9F76.tmp	81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe
File opened for modification	C:\Windows\LiveKernelReports\RuntimeBroker.exe	81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3312	schtasks.exe
3784	schtasks.exe
852	schtasks.exe
1472	schtasks.exe
3716	schtasks.exe
2024	schtasks.exe
2748	schtasks.exe
4924	schtasks.exe
2504	schtasks.exe
3112	schtasks.exe
4984	schtasks.exe
1636	schtasks.exe
2480	schtasks.exe
2060	schtasks.exe
3388	schtasks.exe
2868	schtasks.exe
2348	schtasks.exe
3384	schtasks.exe
2932	schtasks.exe
2152	schtasks.exe
2164	schtasks.exe
2168	schtasks.exe
4628	schtasks.exe
896	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3012	81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe
3012	81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe
3012	81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe
3496	wininit.exe
3496	wininit.exe
3496	wininit.exe
3496	wininit.exe
3496	wininit.exe
3496	wininit.exe
3496	wininit.exe
3496	wininit.exe
3496	wininit.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3012	81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe
Token: SeDebugPrivilege	3496	wininit.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2224	3012	81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe	109
PID 3012 wrote to memory of 2224	3012	81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe	109
PID 2224 wrote to memory of 2656	2224	cmd.exe	111
PID 2224 wrote to memory of 2656	2224	cmd.exe	111
PID 2224 wrote to memory of 3496	2224	cmd.exe	113
PID 2224 wrote to memory of 3496	2224	cmd.exe	113

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe
"C:\Users\Admin\AppData\Local\Temp\81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3012
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ABNdhKLsdq.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2656
- - C:\Program Files\WindowsPowerShell\Modules\wininit.exe
    "C:\Program Files\WindowsPowerShell\Modules\wininit.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:3496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\security\templates\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\security\templates\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\security\templates\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\WindowsPowerShell\Modules\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\Modules\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Default\SendTo\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\SendTo\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default\SendTo\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Windows NT\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\LiveKernelReports\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\LiveKernelReports\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Pictures\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows NT\unsecapp.exe

Filesize
2.7MB

MD5
c89d58e7d8d65af699d69b4676ea1625

SHA1
e842916f6b21f7066b4bd0acd476500f15b148b4

SHA256
caf33afebe34078d92aece875f5d60428077d19c55b81e375d072e9e0ff145af

SHA512
659de149af7df3c587ab57b1d515fda44f704ca89713c0d71a144f03bfa0bf0b3fddcafcecc95f7c95d28d7cc10041ae2d810e9a753769f873afcead1d435a7b

Download Submit
C:\Program Files\Windows Security\BrowserCore\en-US\System.exe

Filesize
2.7MB

MD5
3dfb125d5a55a7523dfb238c334b1e0a

SHA1
21835a418ed5418770ed9c88e7eb0762d0bbf4a9

SHA256
8fbd91d0b86b38246de9a733ee53f1fdd46b89e9e850f6d40829bc025e93a341

SHA512
9fb21cabe4437aed4f964cc9b733cb7303630eabb573bac50211fe74986e31cdce35fb8a1a4e40563e7df232b1b714c0d06c83a5aadbe37448ca1f2cef03e4a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ABNdhKLsdq.bat

Filesize
219B

MD5
4e726cdceb99206b8654a90cb36dd0f3

SHA1
94831c66f82995569ed76bde44efffd1f6b2ea61

SHA256
ec864baad9519e6d6ae4c651b600556f6faea852b7acfa53a0e82d8b54e75c42

SHA512
1e348a1fad06d3ee545415239c0558c56a8a865c121f73ab6aeb31d1d430e63c11c278b3a26a9250518e690a6b231a1818a94c98585e3f3fbaaf242693ad7e2b

Download Submit
C:\Users\Public\Pictures\smss.exe

Filesize
2.7MB

MD5
2ec3ae4dbd2050790a5c7c0a40d0db73

SHA1
dc03fe5a8cfa1036db31923aafda51a7bfa3f6ab

SHA256
0831122d7a7ae3e0f9c913f288fab3d62ddcdbcec7560ecd53c42387e4d3edce

SHA512
fca5ac64351bba314114ed09071c30f99f573114bf7f314d7c21264ac2694a6b110618f24679b848d0e486990573d8e6c8f8e0458e045b6d73f48617e66f5b1a

Download Submit
C:\Windows\LiveKernelReports\RuntimeBroker.exe

Filesize
2.7MB

MD5
7e97e05bf0649b2ff41dfafaae0af73a

SHA1
0b7089e9d951281935559e908ae42b54ebdebd41

SHA256
81f8f7131b6dbddec113e391b343f6bdbb321ec41a7400bf9c32f52afb8bcea7

SHA512
a5748b673c4b4c45228b4e31fab96b8f2db079a221b96143612b30710e8d068cfe1bf8221ffddf1002b074e1f80dfc2f7db824a98a09c97c26c7597b0531d00b

Download Submit
C:\Windows\LiveKernelReports\RuntimeBroker.exe

Filesize
2.7MB

MD5
0524fc49ccd2edc8ebc84f522994dfee

SHA1
e769b00c8776d240cd11490b59be27904aff612b

SHA256
f6f9b7e764ed32a3df405cd77ffdec4cf721e4124f9260f13a048125a4e8726e

SHA512
5c713e551de6839648097168958d71f665b1b73cd73a50512e659c35f2fb2ed9a2919741a57321346467aeaa031289311ee0638a45772a5a1f3c560daf061ccc

Download Submit
memory/3012-14-0x000000001BCD0000-0x000000001C1F8000-memory.dmp

Filesize
5.2MB

Download
memory/3012-15-0x000000001B7A0000-0x000000001B7A8000-memory.dmp

Filesize
32KB

Download
memory/3012-11-0x000000001B100000-0x000000001B156000-memory.dmp

Filesize
344KB

Download
memory/3012-10-0x00000000025B0000-0x00000000025BA000-memory.dmp

Filesize
40KB

Download
memory/3012-9-0x00000000025A0000-0x00000000025A8000-memory.dmp

Filesize
32KB

Download
memory/3012-8-0x0000000002580000-0x0000000002596000-memory.dmp

Filesize
88KB

Download
memory/3012-12-0x000000001B150000-0x000000001B158000-memory.dmp

Filesize
32KB

Download
memory/3012-13-0x000000001B770000-0x000000001B782000-memory.dmp

Filesize
72KB

Download
memory/3012-0-0x00007FFF45A13000-0x00007FFF45A15000-memory.dmp

Filesize
8KB

Download
memory/3012-16-0x000000001B7B0000-0x000000001B7B8000-memory.dmp

Filesize
32KB

Download
memory/3012-17-0x000000001B7C0000-0x000000001B7CC000-memory.dmp

Filesize
48KB

Download
memory/3012-7-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3012-18-0x000000001B7D0000-0x000000001B7DE000-memory.dmp

Filesize
56KB

Download
memory/3012-19-0x000000001B7E0000-0x000000001B7EC000-memory.dmp

Filesize
48KB

Download
memory/3012-21-0x000000001B800000-0x000000001B80C000-memory.dmp

Filesize
48KB

Download
memory/3012-20-0x000000001B7F0000-0x000000001B7FA000-memory.dmp

Filesize
40KB

Download
memory/3012-6-0x0000000002560000-0x0000000002568000-memory.dmp

Filesize
32KB

Download
memory/3012-5-0x000000001B0B0000-0x000000001B100000-memory.dmp

Filesize
320KB

Download
memory/3012-4-0x0000000002540000-0x000000000255C000-memory.dmp

Filesize
112KB

Download
memory/3012-3-0x0000000002520000-0x000000000252E000-memory.dmp

Filesize
56KB

Download
memory/3012-2-0x00007FFF45A10000-0x00007FFF464D1000-memory.dmp

Filesize
10.8MB

Download
memory/3012-139-0x00007FFF45A10000-0x00007FFF464D1000-memory.dmp

Filesize
10.8MB

Download
memory/3012-1-0x0000000000160000-0x0000000000414000-memory.dmp

Filesize
2.7MB

Download
memory/3496-144-0x000000001C3E0000-0x000000001C436000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads