dcrat | 194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6

Analysis

max time kernel
87s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15/01/2025, 23:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe
Size

2.5MB
MD5

6e7a558a3aed704c4f3d087e74d58800
SHA1

69b96f97748dd4e5aa6b07f1c0c69acb3107db57
SHA256

194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6
SHA512

a5c2f142dfced1091e3a533937d53e27164445279717ad02f2988f705e7da9ffa40a8f63e9b9eac2fec804caf7125af76db5135170df179200d30947405ce3c9
SSDEEP

49152:BTmiAznN8OLA03GMjKoZYz+WqE3GMAsH4wDnyBMzTvAaULscNpVQPUmXqs:0iAzSOLA0cooNrkSD6brVlq

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat 23 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language		194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe
		2308	schtasks.exe
		2036	schtasks.exe
		2844	schtasks.exe
		2808	schtasks.exe
		2424	schtasks.exe
		592	schtasks.exe
		1152	schtasks.exe
		2240	schtasks.exe
		1684	schtasks.exe
		888	schtasks.exe
		2788	schtasks.exe
		2836	schtasks.exe
File created	C:\Program Files\7-Zip\Lang\886983d96e3d3e		194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe
		2544	schtasks.exe
		2720	schtasks.exe
		1608	schtasks.exe
		2620	schtasks.exe
		288	schtasks.exe
		1240	schtasks.exe
		2300	schtasks.exe
		2152	schtasks.exe
		2312	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	1444	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	1444	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	1444	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	1444	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	1444	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	1444	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	1444	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	1444	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	1444	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	1444	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	1444	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	1444	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	1444	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	1444	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	1444	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	1444	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	1444	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	1444	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	1444	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	1444	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	1444	schtasks.exe	32

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2760-13-0x0000000000400000-0x00000000005D8000-memory.dmp	dcrat
behavioral1/memory/2760-19-0x0000000000400000-0x00000000005D8000-memory.dmp	dcrat
behavioral1/memory/2760-23-0x0000000000400000-0x00000000005D8000-memory.dmp	dcrat
behavioral1/memory/2760-17-0x0000000000400000-0x00000000005D8000-memory.dmp	dcrat
behavioral1/memory/2760-14-0x0000000000400000-0x00000000005D8000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2936	powershell.exe
2632	powershell.exe
2900	powershell.exe
2660	powershell.exe
316	powershell.exe
1668	powershell.exe
2156	powershell.exe
2648	powershell.exe
2920	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
1616	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe
2316	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe
2348	wininit.exe

Loads dropped DLL 4 IoCs

pid	Process
2760	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe
1616	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe
2316	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe
2316	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1288 set thread context of 2760	1288	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	31
PID 1616 set thread context of 2316	1616	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	46

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\RCX4405.tmp	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe
File created	C:\Program Files\7-Zip\Lang\csrss.exe	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe
File opened for modification	C:\Program Files\7-Zip\Lang\csrss.exe	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe
File created	C:\Program Files\7-Zip\Lang\886983d96e3d3e	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCX4404.tmp	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\winlogon.exe	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe
File created	C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\cc11b995f2a76d	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe
File created	C:\Windows\RemotePackages\RemoteApps\WmiPrvSE.exe	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe
File opened for modification	C:\Windows\en-US\lsass.exe	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe
File opened for modification	C:\Windows\RemotePackages\RemoteApps\WmiPrvSE.exe	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe
File created	C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\winlogon.exe	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe
File created	C:\Windows\security\audit\dwm.exe	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe
File created	C:\Windows\security\audit\6cb0b6c459d5d3	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe
File created	C:\Windows\en-US\lsass.exe	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe
File created	C:\Windows\en-US\6203df4a6bafc7	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe
File created	C:\Windows\RemotePackages\RemoteApps\24dbde2999530e	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe
File opened for modification	C:\Windows\security\audit\dwm.exe	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wininit.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2152	schtasks.exe
2036	schtasks.exe
2844	schtasks.exe
1608	schtasks.exe
2424	schtasks.exe
592	schtasks.exe
1240	schtasks.exe
1684	schtasks.exe
2808	schtasks.exe
1152	schtasks.exe
2788	schtasks.exe
2240	schtasks.exe
2308	schtasks.exe
2300	schtasks.exe
2544	schtasks.exe
2836	schtasks.exe
2620	schtasks.exe
288	schtasks.exe
888	schtasks.exe
2312	schtasks.exe
2720	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2760	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe
1668	powershell.exe
316	powershell.exe
2920	powershell.exe
2316	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe
2156	powershell.exe
2900	powershell.exe
2632	powershell.exe
2660	powershell.exe
2936	powershell.exe
2648	powershell.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	316	powershell.exe
Token: SeDebugPrivilege	2316	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 2760	1288	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	31
PID 1288 wrote to memory of 2760	1288	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	31
PID 1288 wrote to memory of 2760	1288	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	31
PID 1288 wrote to memory of 2760	1288	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	31
PID 1288 wrote to memory of 2760	1288	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	31
PID 1288 wrote to memory of 2760	1288	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	31
PID 1288 wrote to memory of 2760	1288	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	31
PID 1288 wrote to memory of 2760	1288	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	31
PID 1288 wrote to memory of 2760	1288	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	31
PID 2760 wrote to memory of 316	2760	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	39
PID 2760 wrote to memory of 316	2760	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	39
PID 2760 wrote to memory of 316	2760	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	39
PID 2760 wrote to memory of 316	2760	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	39
PID 2760 wrote to memory of 2920	2760	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	40
PID 2760 wrote to memory of 2920	2760	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	40
PID 2760 wrote to memory of 2920	2760	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	40
PID 2760 wrote to memory of 2920	2760	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	40
PID 2760 wrote to memory of 1668	2760	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	42
PID 2760 wrote to memory of 1668	2760	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	42
PID 2760 wrote to memory of 1668	2760	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	42
PID 2760 wrote to memory of 1668	2760	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	42
PID 2760 wrote to memory of 1616	2760	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	45
PID 2760 wrote to memory of 1616	2760	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	45
PID 2760 wrote to memory of 1616	2760	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	45
PID 2760 wrote to memory of 1616	2760	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	45
PID 1616 wrote to memory of 2316	1616	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	46
PID 1616 wrote to memory of 2316	1616	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	46
PID 1616 wrote to memory of 2316	1616	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	46
PID 1616 wrote to memory of 2316	1616	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	46
PID 1616 wrote to memory of 2316	1616	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	46
PID 1616 wrote to memory of 2316	1616	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	46
PID 1616 wrote to memory of 2316	1616	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	46
PID 1616 wrote to memory of 2316	1616	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	46
PID 1616 wrote to memory of 2316	1616	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	46
PID 2316 wrote to memory of 2156	2316	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	62
PID 2316 wrote to memory of 2156	2316	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	62
PID 2316 wrote to memory of 2156	2316	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	62
PID 2316 wrote to memory of 2156	2316	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	62
PID 2316 wrote to memory of 2936	2316	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	63
PID 2316 wrote to memory of 2936	2316	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	63
PID 2316 wrote to memory of 2936	2316	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	63
PID 2316 wrote to memory of 2936	2316	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	63
PID 2316 wrote to memory of 2900	2316	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	65
PID 2316 wrote to memory of 2900	2316	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	65
PID 2316 wrote to memory of 2900	2316	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	65
PID 2316 wrote to memory of 2900	2316	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	65
PID 2316 wrote to memory of 2632	2316	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	66
PID 2316 wrote to memory of 2632	2316	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	66
PID 2316 wrote to memory of 2632	2316	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	66
PID 2316 wrote to memory of 2632	2316	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	66
PID 2316 wrote to memory of 2648	2316	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	67
PID 2316 wrote to memory of 2648	2316	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	67
PID 2316 wrote to memory of 2648	2316	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	67
PID 2316 wrote to memory of 2648	2316	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	67
PID 2316 wrote to memory of 2660	2316	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	70
PID 2316 wrote to memory of 2660	2316	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	70
PID 2316 wrote to memory of 2660	2316	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	70
PID 2316 wrote to memory of 2660	2316	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	70
PID 2316 wrote to memory of 2348	2316	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	74
PID 2316 wrote to memory of 2348	2316	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	74
PID 2316 wrote to memory of 2348	2316	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	74
PID 2316 wrote to memory of 2348	2316	194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe
"C:\Users\Admin\AppData\Local\Temp\194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe"
1⤵
- DcRat
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Users\Admin\AppData\Local\Temp\194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe
  "C:\Users\Admin\AppData\Local\Temp\194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe"
  2⤵
  - DcRat
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:316
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2920
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1668
- - C:\Users\Admin\AppData\Local\Temp\194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe
    "C:\Users\Admin\AppData\Local\Temp\194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1616
  - - C:\Users\Admin\AppData\Local\Temp\194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe
      "C:\Users\Admin\AppData\Local\Temp\194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2316
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\audit\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteApps\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
    - - C:\Users\Default\wininit.exe
        
        "C:\Users\Default\wininit.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\security\audit\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\security\audit\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\security\audit\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\en-US\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Default\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\RemotePackages\RemoteApps\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Windows\RemotePackages\RemoteApps\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\csrss.exe

Filesize
2.5MB

MD5
6e7a558a3aed704c4f3d087e74d58800

SHA1
69b96f97748dd4e5aa6b07f1c0c69acb3107db57

SHA256
194073470fba4de22e1c88dacfd7a2b8719586e4614d22371bcbe2cc0267c5f6

SHA512
a5c2f142dfced1091e3a533937d53e27164445279717ad02f2988f705e7da9ffa40a8f63e9b9eac2fec804caf7125af76db5135170df179200d30947405ce3c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
4b6fe4c2ce7d5b3edec4161218dfa644

SHA1
ddb8f1bd8babb750f9e2d1632ac843243be7174c

SHA256
5645ca2bfee15f2e6cf00c4aa97c2287dcd582114235213e04084e8a6433ecac

SHA512
2caa9187081bc5e13832b321fa0203b864b179940e5a3a469b17f5caeb091798b9dddfe676235eab91fb4d913a84db80eb565a49bba1c4afacc69892928b9fd6

Download Submit
memory/1288-6-0x00000000005B0000-0x00000000005BE000-memory.dmp

Filesize
56KB

Download
memory/1288-3-0x0000000000550000-0x000000000056A000-memory.dmp

Filesize
104KB

Download
memory/1288-4-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

Filesize
4KB

Download
memory/1288-5-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/1288-0-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

Filesize
4KB

Download
memory/1288-7-0x0000000008530000-0x0000000008760000-memory.dmp

Filesize
2.2MB

Download
memory/1288-8-0x0000000009970000-0x0000000009B96000-memory.dmp

Filesize
2.1MB

Download
memory/1288-2-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/1288-1-0x00000000008D0000-0x0000000000B50000-memory.dmp

Filesize
2.5MB

Download
memory/1288-25-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/2348-126-0x00000000012C0000-0x0000000001540000-memory.dmp

Filesize
2.5MB

Download
memory/2760-22-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/2760-28-0x0000000000390000-0x00000000003A0000-memory.dmp

Filesize
64KB

Download
memory/2760-17-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/2760-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2760-14-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/2760-24-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/2760-19-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/2760-26-0x0000000000350000-0x0000000000358000-memory.dmp

Filesize
32KB

Download
memory/2760-27-0x0000000000360000-0x000000000037C000-memory.dmp

Filesize
112KB

Download
memory/2760-23-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/2760-29-0x00000000003A0000-0x00000000003B6000-memory.dmp

Filesize
88KB

Download
memory/2760-30-0x00000000024F0000-0x0000000002546000-memory.dmp

Filesize
344KB

Download
memory/2760-31-0x00000000005E0000-0x00000000005EE000-memory.dmp

Filesize
56KB

Download
memory/2760-32-0x00000000006D0000-0x00000000006DC000-memory.dmp

Filesize
48KB

Download
memory/2760-11-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/2760-13-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/2760-81-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/2760-10-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download