dcrat | 9cb41290c48b270282afbcc08569844197c642382bb79d621568fa3ac0ca1439

Analysis

max time kernel
66s
max time network
59s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07-01-2025 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
Size

912KB
MD5

7902d7438cd06a2393e97a07fbf53b08
SHA1

6cd4f8d9510d87d2f112cd6be3e92dba29456319
SHA256

9cb41290c48b270282afbcc08569844197c642382bb79d621568fa3ac0ca1439
SHA512

81d167bf915501a286285f6e1f08419c9576713549f3cef6e7dd7954874e9a43e5b1d18e7546fd696afeffcb9f8f43069dd5f11302f12259d83c652b6c5a3cd0
SSDEEP

24576:Sa3x1VStiA7iw63VboDAJDyL+qq+aWTIN+4:Rswq63IEU

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 18 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2864	schtasks.exe
		1484	schtasks.exe
		2424	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\EhStorAuthn\\dllhost.exe\""		JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
		2740	schtasks.exe
		2472	schtasks.exe
		1272	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\L2Schemas\\winlogon.exe\""		JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
		2884	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\ehome\\es-ES\\sppsvc.exe\""		JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
		2332	schtasks.exe
		2076	schtasks.exe
File created	C:\Windows\System32\EhStorAuthn\dllhost.exe		JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
		2828	schtasks.exe
		1296	schtasks.exe
		1996	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\wsepno\\taskhost.exe\""		JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
		1172	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 13 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2912	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2912	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2912	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2912	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2912	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	2912	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2912	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2912	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2912	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2912	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	2912	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2912	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2912	schtasks.exe	29

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1356-1-0x00000000001C0000-0x00000000002AC000-memory.dmp	dcrat
behavioral1/memory/2264-17-0x0000000000280000-0x000000000036C000-memory.dmp	dcrat
behavioral1/files/0x0005000000019bf9-18.dat	dcrat
behavioral1/memory/2200-29-0x00000000000B0000-0x000000000019C000-memory.dmp	dcrat
behavioral1/memory/2052-49-0x0000000001350000-0x000000000143C000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2052	csrss.exe

Adds Run key to start application 2 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\hgprint\\lsass.exe\""	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\KBDHU\\csrss.exe\""	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\SMTPCons\\WmiPrvSE.exe\""	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\ProgramData\\Microsoft Help\\sppsvc.exe\""	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\wsepno\\taskhost.exe\""	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\ehome\\es-ES\\sppsvc.exe\""	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\lsass\\taskhost.exe\""	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\umpass\\WmiPrvSE.exe\""	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\PerfLogs\\Admin\\dllhost.exe\""	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Users\\Default User\\WmiPrvSE.exe\""	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\EhStorAuthn\\dllhost.exe\""	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\L2Schemas\\winlogon.exe\""	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\SSShim\\taskhost.exe\""	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File created	C:\Windows\System32\SSShim\b75386f1303e64d8139363b71e44ac16341adf4e	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
File created	C:\Windows\System32\wbem\umpass\WmiPrvSE.exe	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
File created	C:\Windows\System32\lsass\b75386f1303e64d8139363b71e44ac16341adf4e	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
File opened for modification	C:\Windows\System32\EhStorAuthn\dllhost.exe	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
File created	C:\Windows\System32\EhStorAuthn\5940a34987c99120d96dace90a3f93f329dcad63	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
File created	C:\Windows\System32\wsepno\taskhost.exe	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
File created	C:\Windows\System32\KBDHU\886983d96e3d3e31032c679b2d4ea91b6c05afef	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
File created	C:\Windows\System32\SSShim\taskhost.exe	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
File opened for modification	C:\Windows\System32\hgprint\lsass.exe	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
File created	C:\Windows\System32\KBDHU\csrss.exe	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
File created	C:\Windows\System32\lsass\taskhost.exe	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
File created	C:\Windows\System32\hgprint\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
File created	C:\Windows\System32\EhStorAuthn\dllhost.exe	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
File created	C:\Windows\System32\wsepno\b75386f1303e64d8139363b71e44ac16341adf4e	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
File created	C:\Windows\System32\wbem\umpass\24dbde2999530ef5fd907494bc374d663924116c	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
File created	C:\Windows\System32\wbem\SMTPCons\24dbde2999530ef5fd907494bc374d663924116c	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
File opened for modification	C:\Windows\System32\SSShim\taskhost.exe	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
File created	C:\Windows\System32\hgprint\lsass.exe	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
File created	C:\Windows\System32\wbem\SMTPCons\WmiPrvSE.exe	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\L2Schemas\winlogon.exe	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
File created	C:\Windows\L2Schemas\cc11b995f2a76da408ea6a601e682e64743153ad	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
File created	C:\Windows\ehome\es-ES\sppsvc.exe	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
File created	C:\Windows\ehome\es-ES\0a1fd5f707cd16ea89afd3d6db52b2da58214a6c	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1996	schtasks.exe
2424	schtasks.exe
2864	schtasks.exe
2740	schtasks.exe
2472	schtasks.exe
1172	schtasks.exe
1484	schtasks.exe
1296	schtasks.exe
2076	schtasks.exe
2828	schtasks.exe
2884	schtasks.exe
2332	schtasks.exe
1272	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1356	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
2264	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
2200	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
2052	csrss.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1356	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
Token: SeDebugPrivilege	2264	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
Token: SeDebugPrivilege	2200	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
Token: SeDebugPrivilege	2052	csrss.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 2716	1356	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe	34
PID 1356 wrote to memory of 2716	1356	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe	34
PID 1356 wrote to memory of 2716	1356	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe	34
PID 2716 wrote to memory of 2788	2716	cmd.exe	36
PID 2716 wrote to memory of 2788	2716	cmd.exe	36
PID 2716 wrote to memory of 2788	2716	cmd.exe	36
PID 2716 wrote to memory of 2264	2716	cmd.exe	37
PID 2716 wrote to memory of 2264	2716	cmd.exe	37
PID 2716 wrote to memory of 2264	2716	cmd.exe	37
PID 2264 wrote to memory of 2956	2264	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe	41
PID 2264 wrote to memory of 2956	2264	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe	41
PID 2264 wrote to memory of 2956	2264	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe	41
PID 2956 wrote to memory of 3064	2956	cmd.exe	43
PID 2956 wrote to memory of 3064	2956	cmd.exe	43
PID 2956 wrote to memory of 3064	2956	cmd.exe	43
PID 2956 wrote to memory of 2200	2956	cmd.exe	44
PID 2956 wrote to memory of 2200	2956	cmd.exe	44
PID 2956 wrote to memory of 2200	2956	cmd.exe	44
PID 2200 wrote to memory of 2088	2200	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe	51
PID 2200 wrote to memory of 2088	2200	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe	51
PID 2200 wrote to memory of 2088	2200	JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe	51
PID 2088 wrote to memory of 2684	2088	cmd.exe	53
PID 2088 wrote to memory of 2684	2088	cmd.exe	53
PID 2088 wrote to memory of 2684	2088	cmd.exe	53
PID 2088 wrote to memory of 2052	2088	cmd.exe	54
PID 2088 wrote to memory of 2052	2088	cmd.exe	54
PID 2088 wrote to memory of 2052	2088	cmd.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe"
1⤵
- DcRat
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RkUuwG7Ni7.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2788
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe"
    3⤵
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CdLSnlOBDu.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2956
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:3064
    - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08.exe"
        5⤵
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2200
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9H1IRSqM1L.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2684
        
        C:\Windows\System32\KBDHU\csrss.exe
        
        "C:\Windows\System32\KBDHU\csrss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\EhStorAuthn\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\L2Schemas\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\wsepno\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\ehome\es-ES\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\SSShim\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\umpass\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\lsass\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\hgprint\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\PerfLogs\Admin\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\KBDHU\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\SMTPCons\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\ProgramData\Microsoft Help\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9H1IRSqM1L.bat

Filesize
199B

MD5
70cace71a1b108f59d0ed8d6efb83e02

SHA1
ea9abffb2e104a0241a994766373374e00120f81

SHA256
7bd7b3fbff3701bf289286ee48115fe923e7447e9af59767e38ea8b7d94aee81

SHA512
f7e9fe5b05896a438f7288078b8a3d331ab52c211ea10a3abbdda3b2136514810d8cada62d1e6d3f3a458d540d0bc9d7ece05335eb3c102f32eb051c0c4e6086

Download Submit
C:\Users\Admin\AppData\Local\Temp\CdLSnlOBDu.bat

Filesize
248B

MD5
b7e7695c3dce3497c6c29c167ac6e3e8

SHA1
f3c4764b97230b771b780c3c7d147dd5ddb78cc4

SHA256
cbef22caa91debe603f20d1c6e217f7323bfa24dd895de5f8edafe46e0a3dd23

SHA512
de5b4078fb7e611dea351ffb97cd0521c917a3936fd4ecb7fde6ded3229baea7f247b48659631ab962d3653380b189d401f7ead074b415e686ba23ecc1e8df13

Download Submit
C:\Users\Admin\AppData\Local\Temp\RkUuwG7Ni7.bat

Filesize
248B

MD5
63f0c2d5b65510552d7c3addfaf50080

SHA1
16e2636c5b3719b529cb9f78f94d37403c584169

SHA256
44d38a4b575d4136ab7fc4eab98b4664c81aeb4d6533d1475327697429ac9657

SHA512
46b2a0780dd8609644c661141746058beae4101673317072b2e8305862c3d7a3395b3e40bb97f283d282a75ce9f77131560927db64511709ceda9dfe90c91d67

Download Submit
C:\Windows\System32\SSShim\taskhost.exe

Filesize
912KB

MD5
7902d7438cd06a2393e97a07fbf53b08

SHA1
6cd4f8d9510d87d2f112cd6be3e92dba29456319

SHA256
9cb41290c48b270282afbcc08569844197c642382bb79d621568fa3ac0ca1439

SHA512
81d167bf915501a286285f6e1f08419c9576713549f3cef6e7dd7954874e9a43e5b1d18e7546fd696afeffcb9f8f43069dd5f11302f12259d83c652b6c5a3cd0

Download Submit
memory/1356-0-0x000007FEF5E03000-0x000007FEF5E04000-memory.dmp

Filesize
4KB

Download
memory/1356-1-0x00000000001C0000-0x00000000002AC000-memory.dmp

Filesize
944KB

Download
memory/1356-2-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/1356-16-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2052-49-0x0000000001350000-0x000000000143C000-memory.dmp

Filesize
944KB

Download
memory/2200-29-0x00000000000B0000-0x000000000019C000-memory.dmp

Filesize
944KB

Download
memory/2264-17-0x0000000000280000-0x000000000036C000-memory.dmp

Filesize
944KB

Download