dcrat | d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0

Analysis

max time kernel
96s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2025 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
Size

2.7MB
MD5

133f58a8a158d4d0edb84f287c27127f
SHA1

2af95a4364675e01e0d688639bd8a19cf8f12dea
SHA256

d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0
SHA512

c0c6ffe1f272d68231ef9244f77b15645d16ed20b8fbd7706e11339240ba25943f70d7b69150b75abc6b0089e86a77a0800cbc99fda2db5d8500b4b9ccfaa247
SSDEEP

49152:sqyJUSQelMhlk1w19BlUobhENGZXxRWi0UAuqYqqncK:pyJlQgGk1wPko1oO30UA7Yqqr

Score

10^/10

dcrat defense_evasion infostealer rat trojan

Malware Config

Signatures

DcRat 47 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		1648	schtasks.exe
		552	schtasks.exe
		2584	schtasks.exe
		4272	schtasks.exe
		4848	schtasks.exe
		1292	schtasks.exe
		3552	schtasks.exe
		4572	schtasks.exe
		2912	schtasks.exe
		3204	schtasks.exe
		2680	schtasks.exe
		2272	schtasks.exe
		4896	schtasks.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\fb398a8c78c793		d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
		724	schtasks.exe
		2352	schtasks.exe
		2016	schtasks.exe
		4752	schtasks.exe
		3592	schtasks.exe
		5036	schtasks.exe
		5052	schtasks.exe
File created	C:\Windows\fr-FR\29c1c3cc0f7685		d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
		1496	schtasks.exe
		4876	schtasks.exe
		1444	schtasks.exe
		2184	schtasks.exe
		3432	schtasks.exe
		3668	schtasks.exe
		4736	schtasks.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\9e8d7a4ca61bd9		d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
		4832	schtasks.exe
		3168	schtasks.exe
		4460	schtasks.exe
		1540	schtasks.exe
		4216	schtasks.exe
		3404	schtasks.exe
		4208	schtasks.exe
		812	schtasks.exe
		4668	schtasks.exe
		4580	schtasks.exe
		2132	schtasks.exe
		1976	schtasks.exe
		2756	schtasks.exe
		1860	schtasks.exe
		4960	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
File created	C:\Program Files (x86)\MSBuild\9e8d7a4ca61bd9		d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe

Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3168	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3592	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3204	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	724	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4272	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4216	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3432	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3404	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3668	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3552	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	612	schtasks.exe	85

UAC bypass 3 TTPs 12 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/736-1-0x0000000000C50000-0x0000000000F04000-memory.dmp	dcrat
behavioral2/files/0x0007000000023c92-30.dat	dcrat
behavioral2/files/0x0008000000023c97-57.dat	dcrat
behavioral2/files/0x000700000001e104-80.dat	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe

Executes dropped EXE 3 IoCs

pid	Process
3908	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
2572	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
4812	SppExtComObj.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Multimedia Platform\Idle.exe	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
File created	C:\Program Files (x86)\MSBuild\9e8d7a4ca61bd9	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCXA520.tmp	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\04c1e7795967e4	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
File created	C:\Program Files (x86)\Windows Mail\cc11b995f2a76d	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCXA51F.tmp	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCXA735.tmp	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCXA7B3.tmp	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RuntimeBroker.exe	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\Idle.exe	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
File created	C:\Program Files\Windows Multimedia Platform\6ccacd8608530f	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\winlogon.exe	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXA29D.tmp	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXA31B.tmp	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\TrustedInstaller.exe	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
File created	C:\Program Files (x86)\Windows Mail\winlogon.exe	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\TrustedInstaller.exe	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\9e8d7a4ca61bd9	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\fb398a8c78c793	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
File created	C:\Program Files (x86)\MSBuild\RuntimeBroker.exe	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\fr-FR\unsecapp.exe	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
File opened for modification	C:\Windows\fr-FR\RCXA089.tmp	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
File opened for modification	C:\Windows\security\logs\TextInputHost.exe	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
File created	C:\Windows\Panther\UnattendGC\SppExtComObj.exe	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
File created	C:\Windows\Panther\UnattendGC\e1ef82546f0b02	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
File created	C:\Windows\System\SppExtComObj.exe	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
File created	C:\Windows\System\e1ef82546f0b02	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
File created	C:\Windows\fr-FR\unsecapp.exe	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
File created	C:\Windows\fr-FR\29c1c3cc0f7685	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
File opened for modification	C:\Windows\fr-FR\RCXA078.tmp	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
File created	C:\Windows\security\logs\22eafd247d37c3	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
File created	C:\Windows\es-ES\Registry.exe	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
File created	C:\Windows\es-ES\ee2ad38f3d4382	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
File created	C:\Windows\security\logs\TextInputHost.exe	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
File opened for modification	C:\Windows\es-ES\Registry.exe	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
File opened for modification	C:\Windows\System\SppExtComObj.exe	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
File opened for modification	C:\Windows\Panther\UnattendGC\SppExtComObj.exe	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1496	schtasks.exe
3432	schtasks.exe
1648	schtasks.exe
4876	schtasks.exe
4216	schtasks.exe
2352	schtasks.exe
5052	schtasks.exe
2680	schtasks.exe
4752	schtasks.exe
4896	schtasks.exe
3592	schtasks.exe
3204	schtasks.exe
4460	schtasks.exe
2132	schtasks.exe
1292	schtasks.exe
2184	schtasks.exe
3404	schtasks.exe
4272	schtasks.exe
4736	schtasks.exe
2016	schtasks.exe
4580	schtasks.exe
4960	schtasks.exe
724	schtasks.exe
5036	schtasks.exe
1444	schtasks.exe
1976	schtasks.exe
3168	schtasks.exe
4832	schtasks.exe
2756	schtasks.exe
3668	schtasks.exe
3552	schtasks.exe
1540	schtasks.exe
4572	schtasks.exe
1860	schtasks.exe
4668	schtasks.exe
2584	schtasks.exe
2272	schtasks.exe
4848	schtasks.exe
2912	schtasks.exe
552	schtasks.exe
4208	schtasks.exe
812	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
736	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
3908	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
2572	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
2572	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
2572	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
2572	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
2572	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
2572	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
2572	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
2572	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
4812	SppExtComObj.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	736	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
Token: SeDebugPrivilege	3908	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
Token: SeDebugPrivilege	2572	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
Token: SeDebugPrivilege	4812	SppExtComObj.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 736 wrote to memory of 3908	736	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe	102
PID 736 wrote to memory of 3908	736	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe	102
PID 3908 wrote to memory of 548	3908	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe	114
PID 3908 wrote to memory of 548	3908	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe	114
PID 548 wrote to memory of 2456	548	cmd.exe	116
PID 548 wrote to memory of 2456	548	cmd.exe	116
PID 548 wrote to memory of 2572	548	cmd.exe	120
PID 548 wrote to memory of 2572	548	cmd.exe	120
PID 2572 wrote to memory of 4812	2572	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe	146
PID 2572 wrote to memory of 4812	2572	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe	146

System policy modification 1 TTPs 12 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
"C:\Users\Admin\AppData\Local\Temp\d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe"
1⤵
- DcRat
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:736
- C:\Users\Admin\AppData\Local\Temp\d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
  "C:\Users\Admin\AppData\Local\Temp\d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3908
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B24wjK8S6m.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:548
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:2456
  - - C:\Users\Admin\AppData\Local\Temp\d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe
      "C:\Users\Admin\AppData\Local\Temp\d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2572
    - - C:\Windows\System\SppExtComObj.exe
        
        "C:\Windows\System\SppExtComObj.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Windows\fr-FR\unsecapp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\fr-FR\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Windows\fr-FR\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0d" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0d" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Start Menu\SppExtComObj.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Start Menu\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Multimedia Platform\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Windows\security\logs\TextInputHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\security\logs\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Windows\security\logs\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Windows\es-ES\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\es-ES\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Windows\es-ES\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\TrustedInstaller.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Windows\System\SppExtComObj.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Windows\System\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Windows\Panther\UnattendGC\SppExtComObj.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\Panther\UnattendGC\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Windows\Panther\UnattendGC\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Desktop\SearchApp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Public\Desktop\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MSBuild\RuntimeBroker.exe

Filesize
2.7MB

MD5
e33352dc76d085ce662fbbaf395a12fe

SHA1
31ecf419900e5586f114a13e4b14c5f8ef2b9436

SHA256
a2a736b5e96391a7c09f5ec9d7df670c59aace84352ccb1d33ee8496af87b946

SHA512
5b4364e0822c5021b884e9e11c9aff8f9ddbfa2badbbba994bcab3abaf46f24fe8c3a534ccd593286ebda073c716065134532d78d1560ac95538f4bc17847099

Download Submit
C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe

Filesize
2.7MB

MD5
91f99790ced0ff09689cd9d2f57d59db

SHA1
f7e2c41226d7e27dc084db58b2e61194892d23f1

SHA256
f5cb0d7937854550847ae9fe3c4587c5abf1e6e7e155a19408607f12d81760ab

SHA512
e09e966477fb46f4c18bcbcbd6a23527723e33828ffdd03b734a1dbff39cb0507331ef166d21e57deb71aad9f448760327385e718eebb9265615140cfd11d665

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\B24wjK8S6m.bat

Filesize
267B

MD5
cf6e210c0a6ff618cd22aada9e09cd79

SHA1
3d7a04cc32c59593f68cbce66972ef5b13304be1

SHA256
34fbb8fd17fdad28fe2fbca0344fde6754acb2434b3fbe9b5eda6a97ead5a749

SHA512
41ea5bdae58331ffaf1aa52b6b6aa49d88cd317ec44caad7202885c848f9a731c7232bd78684b5e083f8a83ea4472a346f1c69e39bae6065fbb738f32aa22db0

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\SppExtComObj.exe

Filesize
2.7MB

MD5
133f58a8a158d4d0edb84f287c27127f

SHA1
2af95a4364675e01e0d688639bd8a19cf8f12dea

SHA256
d1e12b5118382ed3e03fc92838410942d862e6fe2f4710c541210720b0bdf0a0

SHA512
c0c6ffe1f272d68231ef9244f77b15645d16ed20b8fbd7706e11339240ba25943f70d7b69150b75abc6b0089e86a77a0800cbc99fda2db5d8500b4b9ccfaa247

Download Submit
memory/736-14-0x000000001C7D0000-0x000000001CCF8000-memory.dmp

Filesize
5.2MB

Download
memory/736-17-0x000000001C2B0000-0x000000001C2BC000-memory.dmp

Filesize
48KB

Download
memory/736-6-0x00000000017E0000-0x00000000017E8000-memory.dmp

Filesize
32KB

Download
memory/736-8-0x000000001BB60000-0x000000001BB76000-memory.dmp

Filesize
88KB

Download
memory/736-9-0x000000001BB80000-0x000000001BB88000-memory.dmp

Filesize
32KB

Download
memory/736-10-0x000000001BBA0000-0x000000001BBAA000-memory.dmp

Filesize
40KB

Download
memory/736-11-0x000000001C230000-0x000000001C286000-memory.dmp

Filesize
344KB

Download
memory/736-12-0x000000001BB90000-0x000000001BB98000-memory.dmp

Filesize
32KB

Download
memory/736-13-0x000000001BC00000-0x000000001BC12000-memory.dmp

Filesize
72KB

Download
memory/736-0-0x00007FF8BE393000-0x00007FF8BE395000-memory.dmp

Filesize
8KB

Download
memory/736-15-0x000000001BC10000-0x000000001BC18000-memory.dmp

Filesize
32KB

Download
memory/736-7-0x0000000003000000-0x0000000003010000-memory.dmp

Filesize
64KB

Download
memory/736-19-0x000000001C2D0000-0x000000001C2DC000-memory.dmp

Filesize
48KB

Download
memory/736-21-0x000000001C2F0000-0x000000001C2FC000-memory.dmp

Filesize
48KB

Download
memory/736-20-0x000000001C2E0000-0x000000001C2EA000-memory.dmp

Filesize
40KB

Download
memory/736-18-0x000000001C2C0000-0x000000001C2CE000-memory.dmp

Filesize
56KB

Download
memory/736-16-0x000000001C2A0000-0x000000001C2A8000-memory.dmp

Filesize
32KB

Download
memory/736-5-0x000000001BBB0000-0x000000001BC00000-memory.dmp

Filesize
320KB

Download
memory/736-4-0x000000001BB40000-0x000000001BB5C000-memory.dmp

Filesize
112KB

Download
memory/736-3-0x00000000017D0000-0x00000000017DE000-memory.dmp

Filesize
56KB

Download
memory/736-98-0x00007FF8BE390000-0x00007FF8BEE51000-memory.dmp

Filesize
10.8MB

Download
memory/736-1-0x0000000000C50000-0x0000000000F04000-memory.dmp

Filesize
2.7MB

Download
memory/736-2-0x00007FF8BE390000-0x00007FF8BEE51000-memory.dmp

Filesize
10.8MB

Download
memory/3908-99-0x000000001C3B0000-0x000000001C406000-memory.dmp

Filesize
344KB

Download