dcrat | d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984

General

Target

d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
Size

2.7MB
MD5

183cb9283d9c8f6282283bd39f49d33c
SHA1

76674564064d31bb9d37f802bdec3821d4a55d89
SHA256

d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984
SHA512

14a40235310755e00bfa58a5169978b7fe40890e2f1149500f77780b82ef1aed1354daafb149de18deb3690bbc1b4f6e885be988e4163b6e3acdd16c30d28e22
SSDEEP

49152:Bfj5Pkja3lMPnl9LS7y5PEeQxtD5vLyCse5EPUC1SKGLFSjvzbN+/rV:BfBkyqPnDSOdEeQfocN8GLQLkz

Score

10^/10

dcrat evasion infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2664	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2664	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2664	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2664	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	2664	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2664	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2664	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2664	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2664	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2664	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2664	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2664	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	2664	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2664	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2664	schtasks.exe	31

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1768-1-0x0000000000D10000-0x0000000000FC4000-memory.dmp	dcrat
behavioral1/files/0x0005000000019263-29.dat	dcrat
behavioral1/files/0x000d00000001706d-91.dat	dcrat
behavioral1/memory/2928-103-0x0000000000230000-0x00000000004E4000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2928	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\cc11b995f2a76d	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\RCXE755.tmp	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\RCXEBDC.tmp	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\winlogon.exe	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\WmiPrvSE.exe	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\79948976d03d0d	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\RCXEDF0.tmp	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\RCXEDF1.tmp	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\24dbde2999530e	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\RCXE95A.tmp	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\RCXE95B.tmp	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\RCXEBDB.tmp	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\WmiPrvSE.exe	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\winlogon.exe	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\RCXE756.tmp	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\79948976d03d0d	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Speech\Common\es-ES\OSPPSVC.exe	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2744	schtasks.exe
2668	schtasks.exe
1276	schtasks.exe
2596	schtasks.exe
2588	schtasks.exe
2816	schtasks.exe
2984	schtasks.exe
1540	schtasks.exe
2536	schtasks.exe
2996	schtasks.exe
796	schtasks.exe
1092	schtasks.exe
2688	schtasks.exe
2900	schtasks.exe
2812	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1768	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
1768	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
1768	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
2928	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
2928	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
2928	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
2928	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
2928	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
2928	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
2928	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
2928	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
2928	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
2928	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
2928	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
2928	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
2928	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2928	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1768	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
Token: SeDebugPrivilege	2928	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 1884	1768	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe	47
PID 1768 wrote to memory of 1884	1768	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe	47
PID 1768 wrote to memory of 1884	1768	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe	47
PID 1884 wrote to memory of 2120	1884	cmd.exe	49
PID 1884 wrote to memory of 2120	1884	cmd.exe	49
PID 1884 wrote to memory of 2120	1884	cmd.exe	49
PID 1884 wrote to memory of 2928	1884	cmd.exe	50
PID 1884 wrote to memory of 2928	1884	cmd.exe	50
PID 1884 wrote to memory of 2928	1884	cmd.exe	50

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
"C:\Users\Admin\AppData\Local\Temp\d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1768
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ByKppo6dDE.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2120
- - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
    "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984d" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984d" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984d" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984d" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\lsm.exe

Filesize
2.7MB

MD5
183cb9283d9c8f6282283bd39f49d33c

SHA1
76674564064d31bb9d37f802bdec3821d4a55d89

SHA256
d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984

SHA512
14a40235310755e00bfa58a5169978b7fe40890e2f1149500f77780b82ef1aed1354daafb149de18deb3690bbc1b4f6e885be988e4163b6e3acdd16c30d28e22

Download Submit
C:\MSOCache\All Users\lsm.exe

Filesize
2.7MB

MD5
8212b7d6ec473bba42bd71b980f18451

SHA1
01f450ec572f4e86c5ccde1be262de83ee68416d

SHA256
2e0e7885b3bb2ef129a1a27d35f51d488ff51abe884cb566d4fb56e8dfa9e98c

SHA512
cdfa4b54279b6d6ed68f46422f27b4d4f2783faa84b795e678f4d66f971237e4346fa72aa2fa16af0b985cda96fed96d521acc50cb762341eed6fe2d0a2d1842

Download Submit
C:\Users\Admin\AppData\Local\Temp\ByKppo6dDE.bat

Filesize
298B

MD5
c70f3183d55adeba38feabc9e205681e

SHA1
66fe1ae7a2269bb5d30c3a71b67ddc19c9c57645

SHA256
3bf937db6ae7605fa6c140b8ee44d05b8b01b65cb259a21f7fd15ec053ffcb23

SHA512
55cffaadd284071f36ad2f30734e725aee4354ab721b3ff2a554c2eaa2ec419186fc725bb63f2f3670c231da10de0b463c022ad756e7c676a9e30bed00efeddd

Download Submit
memory/1768-12-0x0000000000A90000-0x0000000000A98000-memory.dmp

Filesize
32KB

Download
memory/1768-14-0x0000000000BE0000-0x0000000000BE8000-memory.dmp

Filesize
32KB

Download
memory/1768-5-0x0000000000480000-0x0000000000488000-memory.dmp

Filesize
32KB

Download
memory/1768-6-0x0000000000490000-0x00000000004A0000-memory.dmp

Filesize
64KB

Download
memory/1768-7-0x00000000009E0000-0x00000000009F6000-memory.dmp

Filesize
88KB

Download
memory/1768-8-0x00000000004A0000-0x00000000004A8000-memory.dmp

Filesize
32KB

Download
memory/1768-9-0x0000000000A80000-0x0000000000A88000-memory.dmp

Filesize
32KB

Download
memory/1768-10-0x0000000000AA0000-0x0000000000AAA000-memory.dmp

Filesize
40KB

Download
memory/1768-11-0x000000001AFE0000-0x000000001B036000-memory.dmp

Filesize
344KB

Download
memory/1768-0-0x000007FEF5E33000-0x000007FEF5E34000-memory.dmp

Filesize
4KB

Download
memory/1768-13-0x0000000000AB0000-0x0000000000AC2000-memory.dmp

Filesize
72KB

Download
memory/1768-4-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/1768-15-0x0000000000BF0000-0x0000000000BF8000-memory.dmp

Filesize
32KB

Download
memory/1768-16-0x0000000000C00000-0x0000000000C0C000-memory.dmp

Filesize
48KB

Download
memory/1768-17-0x0000000000C10000-0x0000000000C1E000-memory.dmp

Filesize
56KB

Download
memory/1768-18-0x000000001A940000-0x000000001A94C000-memory.dmp

Filesize
48KB

Download
memory/1768-19-0x000000001A950000-0x000000001A95A000-memory.dmp

Filesize
40KB

Download
memory/1768-20-0x000000001A960000-0x000000001A96C000-memory.dmp

Filesize
48KB

Download
memory/1768-3-0x00000000001E0000-0x00000000001EE000-memory.dmp

Filesize
56KB

Download
memory/1768-2-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download
memory/1768-1-0x0000000000D10000-0x0000000000FC4000-memory.dmp

Filesize
2.7MB

Download
memory/1768-100-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download
memory/2928-103-0x0000000000230000-0x00000000004E4000-memory.dmp

Filesize
2.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads