dcrat | 63b2109d651e58bdceb6dcd68821e723f4a5ce45875405cf395ff04937ea26b8

Analysis

max time kernel
101s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9fc6b7a531664647e76420f006504fe4.exe
Size

783KB
MD5

9fc6b7a531664647e76420f006504fe4
SHA1

719f7a1a72fd0a3868802dba03915489e405096d
SHA256

1b9c3ff779aff3d88db47afc5230aeaa0b3332db3fb39f8604eadc5c13a351d3
SHA512

9a340891c5a12cc53e3a0466b4c7e8aa6aa89a0110f8a789d5a1950ab7541fbb707d0af98c90517894ea0acdd63f94a7d6d58b69cdb26f7e5cf30a4848587d3d
SSDEEP

12288:GqnOYxdAgpoNeF91rg5iFdr0yQ9gYx+EIpakCYJRU7Q9bWoFzqK:G+OQbpbgsFdAyQvzSqaq8q

Score

10^/10

dcrat defense_evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat 15 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartUI\\StartMenuExperienceHost.exe\""		9fc6b7a531664647e76420f006504fe4.exe
		4688	schtasks.exe
		4580	schtasks.exe
		4748	schtasks.exe
		4876	schtasks.exe
		4696	schtasks.exe
		5940	schtasks.exe
		2240	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9fc6b7a531664647e76420f006504fe4 = "\"C:\\Documents and Settings\\9fc6b7a531664647e76420f006504fe4.exe\""		9fc6b7a531664647e76420f006504fe4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\xpsservices\\fontdrvhost.exe\""		9fc6b7a531664647e76420f006504fe4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Windows Mail\\sppsvc.exe\""		9fc6b7a531664647e76420f006504fe4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\PerfLogs\\dllhost.exe\""		9fc6b7a531664647e76420f006504fe4.exe
		4556	schtasks.exe
		3568	schtasks.exe
		6044	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 10 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	4984	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	4984	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	4984	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	4984	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	4984	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3568	4984	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6044	4984	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	4984	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5940	4984	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	4984	schtasks.exe	87

UAC bypass 3 TTPs 9 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9fc6b7a531664647e76420f006504fe4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9fc6b7a531664647e76420f006504fe4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9fc6b7a531664647e76420f006504fe4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9fc6b7a531664647e76420f006504fe4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9fc6b7a531664647e76420f006504fe4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9fc6b7a531664647e76420f006504fe4.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral28/memory/6136-1-0x00000000009B0000-0x0000000000A7A000-memory.dmp	dcrat
behavioral28/files/0x00070000000242f5-33.dat	dcrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	9fc6b7a531664647e76420f006504fe4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	9fc6b7a531664647e76420f006504fe4.exe

Executes dropped EXE 2 IoCs

pid	Process
2816	9fc6b7a531664647e76420f006504fe4.exe
2700	TextInputHost.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files\\Windows Multimedia Platform\\backgroundTaskHost.exe\""	9fc6b7a531664647e76420f006504fe4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\aff403968f1bfcc42131676322798b50\\dllhost.exe\""	9fc6b7a531664647e76420f006504fe4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\xpsservices\\fontdrvhost.exe\""	9fc6b7a531664647e76420f006504fe4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Windows Mail\\sppsvc.exe\""	9fc6b7a531664647e76420f006504fe4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\PerfLogs\\dllhost.exe\""	9fc6b7a531664647e76420f006504fe4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\System32\\mapstoasttask\\backgroundTaskHost.exe\""	9fc6b7a531664647e76420f006504fe4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\SCardBi\\fontdrvhost.exe\""	9fc6b7a531664647e76420f006504fe4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\LayoutData\\TextInputHost.exe\""	9fc6b7a531664647e76420f006504fe4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9fc6b7a531664647e76420f006504fe4 = "\"C:\\Documents and Settings\\9fc6b7a531664647e76420f006504fe4.exe\""	9fc6b7a531664647e76420f006504fe4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartUI\\StartMenuExperienceHost.exe\""	9fc6b7a531664647e76420f006504fe4.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9fc6b7a531664647e76420f006504fe4.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9fc6b7a531664647e76420f006504fe4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9fc6b7a531664647e76420f006504fe4.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9fc6b7a531664647e76420f006504fe4.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\xpsservices\RCX9732.tmp	9fc6b7a531664647e76420f006504fe4.exe
File opened for modification	C:\Windows\System32\xpsservices\fontdrvhost.exe	9fc6b7a531664647e76420f006504fe4.exe
File created	C:\Windows\System32\mapstoasttask\backgroundTaskHost.exe	9fc6b7a531664647e76420f006504fe4.exe
File created	C:\Windows\System32\mapstoasttask\eddb19405b7ce1152b3e19997f2b467f0b72b3d3	9fc6b7a531664647e76420f006504fe4.exe
File created	C:\Windows\System32\SCardBi\fontdrvhost.exe	9fc6b7a531664647e76420f006504fe4.exe
File opened for modification	C:\Windows\System32\SCardBi\fontdrvhost.exe	9fc6b7a531664647e76420f006504fe4.exe
File opened for modification	C:\Windows\System32\mapstoasttask\backgroundTaskHost.exe	9fc6b7a531664647e76420f006504fe4.exe
File created	C:\Windows\System32\SCardBi\5b884080fd4f94e2695da25c503f9e33b9605b83	9fc6b7a531664647e76420f006504fe4.exe
File created	C:\Windows\System32\xpsservices\fontdrvhost.exe	9fc6b7a531664647e76420f006504fe4.exe
File created	C:\Windows\System32\xpsservices\5b884080fd4f94e2695da25c503f9e33b9605b83	9fc6b7a531664647e76420f006504fe4.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Mail\sppsvc.exe	9fc6b7a531664647e76420f006504fe4.exe
File created	C:\Program Files\Windows Multimedia Platform\backgroundTaskHost.exe	9fc6b7a531664647e76420f006504fe4.exe
File created	C:\Program Files\Windows Multimedia Platform\eddb19405b7ce1152b3e19997f2b467f0b72b3d3	9fc6b7a531664647e76420f006504fe4.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\backgroundTaskHost.exe	9fc6b7a531664647e76420f006504fe4.exe
File created	C:\Program Files (x86)\Windows Mail\sppsvc.exe	9fc6b7a531664647e76420f006504fe4.exe
File created	C:\Program Files (x86)\Windows Mail\0a1fd5f707cd16ea89afd3d6db52b2da58214a6c	9fc6b7a531664647e76420f006504fe4.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCX9937.tmp	9fc6b7a531664647e76420f006504fe4.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\LayoutData\22eafd247d37c30fed3795ee41d259ec72bb351c	9fc6b7a531664647e76420f006504fe4.exe
File opened for modification	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\LayoutData\TextInputHost.exe	9fc6b7a531664647e76420f006504fe4.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI\StartMenuExperienceHost.exe	9fc6b7a531664647e76420f006504fe4.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI\55b276f4edf653fe07efe8f1ecc32d3d195abd16	9fc6b7a531664647e76420f006504fe4.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI\RCX952D.tmp	9fc6b7a531664647e76420f006504fe4.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI\StartMenuExperienceHost.exe	9fc6b7a531664647e76420f006504fe4.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\LayoutData\TextInputHost.exe	9fc6b7a531664647e76420f006504fe4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	9fc6b7a531664647e76420f006504fe4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	9fc6b7a531664647e76420f006504fe4.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4696	schtasks.exe
6044	schtasks.exe
4876	schtasks.exe
5940	schtasks.exe
2240	schtasks.exe
4556	schtasks.exe
4580	schtasks.exe
3568	schtasks.exe
4688	schtasks.exe
4748	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
6136	9fc6b7a531664647e76420f006504fe4.exe
6136	9fc6b7a531664647e76420f006504fe4.exe
6136	9fc6b7a531664647e76420f006504fe4.exe
6136	9fc6b7a531664647e76420f006504fe4.exe
6136	9fc6b7a531664647e76420f006504fe4.exe
6136	9fc6b7a531664647e76420f006504fe4.exe
6136	9fc6b7a531664647e76420f006504fe4.exe
6136	9fc6b7a531664647e76420f006504fe4.exe
6136	9fc6b7a531664647e76420f006504fe4.exe
6136	9fc6b7a531664647e76420f006504fe4.exe
2816	9fc6b7a531664647e76420f006504fe4.exe
2816	9fc6b7a531664647e76420f006504fe4.exe
2816	9fc6b7a531664647e76420f006504fe4.exe
2816	9fc6b7a531664647e76420f006504fe4.exe
2816	9fc6b7a531664647e76420f006504fe4.exe
2816	9fc6b7a531664647e76420f006504fe4.exe
2816	9fc6b7a531664647e76420f006504fe4.exe
2816	9fc6b7a531664647e76420f006504fe4.exe
2816	9fc6b7a531664647e76420f006504fe4.exe
2816	9fc6b7a531664647e76420f006504fe4.exe
2700	TextInputHost.exe
2700	TextInputHost.exe
2700	TextInputHost.exe
2700	TextInputHost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	6136	9fc6b7a531664647e76420f006504fe4.exe
Token: SeDebugPrivilege	2816	9fc6b7a531664647e76420f006504fe4.exe
Token: SeDebugPrivilege	2700	TextInputHost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 6136 wrote to memory of 4920	6136	9fc6b7a531664647e76420f006504fe4.exe	93
PID 6136 wrote to memory of 4920	6136	9fc6b7a531664647e76420f006504fe4.exe	93
PID 4920 wrote to memory of 5836	4920	cmd.exe	95
PID 4920 wrote to memory of 5836	4920	cmd.exe	95
PID 4920 wrote to memory of 2816	4920	cmd.exe	99
PID 4920 wrote to memory of 2816	4920	cmd.exe	99
PID 2816 wrote to memory of 2700	2816	9fc6b7a531664647e76420f006504fe4.exe	106
PID 2816 wrote to memory of 2700	2816	9fc6b7a531664647e76420f006504fe4.exe	106

System policy modification 1 TTPs 9 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9fc6b7a531664647e76420f006504fe4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9fc6b7a531664647e76420f006504fe4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9fc6b7a531664647e76420f006504fe4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9fc6b7a531664647e76420f006504fe4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9fc6b7a531664647e76420f006504fe4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9fc6b7a531664647e76420f006504fe4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9fc6b7a531664647e76420f006504fe4.exe
"C:\Users\Admin\AppData\Local\Temp\9fc6b7a531664647e76420f006504fe4.exe"
1⤵
- DcRat
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:6136
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LCJkF3klli.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:5836
- - C:\Users\Admin\AppData\Local\Temp\9fc6b7a531664647e76420f006504fe4.exe
    "C:\Users\Admin\AppData\Local\Temp\9fc6b7a531664647e76420f006504fe4.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2816
  - - C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\LayoutData\TextInputHost.exe
      "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\LayoutData\TextInputHost.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      System policy modification
      PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9fc6b7a531664647e76420f006504fe4" /sc ONLOGON /tr "'C:\Documents and Settings\9fc6b7a531664647e76420f006504fe4.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\xpsservices\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\PerfLogs\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\System32\mapstoasttask\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\SCardBi\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\LayoutData\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\dllhost.exe

Filesize
783KB

MD5
9fc6b7a531664647e76420f006504fe4

SHA1
719f7a1a72fd0a3868802dba03915489e405096d

SHA256
1b9c3ff779aff3d88db47afc5230aeaa0b3332db3fb39f8604eadc5c13a351d3

SHA512
9a340891c5a12cc53e3a0466b4c7e8aa6aa89a0110f8a789d5a1950ab7541fbb707d0af98c90517894ea0acdd63f94a7d6d58b69cdb26f7e5cf30a4848587d3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\9fc6b7a531664647e76420f006504fe4.exe.log

Filesize
1KB

MD5
b7c0c43fc7804baaa7dc87152cdc9554

SHA1
1bab62bd56af745678d4e967d91e1ccfdeed4038

SHA256
46386a61f3aaf1b1c2e6efc9fc7e9e9ff16cd13ae58b8d856835771fedb6d457

SHA512
9fda3dd00a3406137e0113f13f78e77b20a76512b35820d38df696842cbbf2e2ebabfb99a3846c9637ecb54af858ec1551521187e379872973006426a253f769

Download Submit
C:\Users\Admin\AppData\Local\Temp\LCJkF3klli.bat

Filesize
234B

MD5
e3870555bc0c9de15e287d733722c8f4

SHA1
301f72f7830112b9ecc6393cdb9991e7d14ed2db

SHA256
c95e651ffae11b9c8a3d6c8ee61eb223c11b4d84cef956651d9d398713667ecc

SHA512
6b787b38654b63f922bea2296679850a70898216334ba6dc6b9b94db55b8467b69caa6531c728f3bf1dc8e1d91d8412234b3f6a9573975f81871e14b7377066d

Download Submit
memory/6136-25-0x00007FFA6A370000-0x00007FFA6AE31000-memory.dmp

Filesize
10.8MB

Download
memory/6136-15-0x00000000013F0000-0x00000000013F8000-memory.dmp

Filesize
32KB

Download
memory/6136-6-0x0000000001350000-0x0000000001358000-memory.dmp

Filesize
32KB

Download
memory/6136-9-0x00000000013A0000-0x00000000013AA000-memory.dmp

Filesize
40KB

Download
memory/6136-13-0x0000000001400000-0x0000000001408000-memory.dmp

Filesize
32KB

Download
memory/6136-17-0x000000001BAB0000-0x000000001BAB8000-memory.dmp

Filesize
32KB

Download
memory/6136-16-0x000000001BAA0000-0x000000001BAA8000-memory.dmp

Filesize
32KB

Download
memory/6136-21-0x000000001B8A0000-0x000000001B8AC000-memory.dmp

Filesize
48KB

Download
memory/6136-20-0x000000001B8F0000-0x000000001B8F8000-memory.dmp

Filesize
32KB

Download
memory/6136-19-0x00000000013D0000-0x00000000013D8000-memory.dmp

Filesize
32KB

Download
memory/6136-22-0x000000001B8C0000-0x000000001B8C8000-memory.dmp

Filesize
32KB

Download
memory/6136-0-0x00007FFA6A373000-0x00007FFA6A375000-memory.dmp

Filesize
8KB

Download
memory/6136-18-0x000000001B8B0000-0x000000001B8B8000-memory.dmp

Filesize
32KB

Download
memory/6136-7-0x0000000001390000-0x000000000139C000-memory.dmp

Filesize
48KB

Download
memory/6136-14-0x000000001BAC0000-0x000000001BAC8000-memory.dmp

Filesize
32KB

Download
memory/6136-12-0x0000000001370000-0x0000000001378000-memory.dmp

Filesize
32KB

Download
memory/6136-11-0x00000000013C0000-0x00000000013C8000-memory.dmp

Filesize
32KB

Download
memory/6136-26-0x00007FFA6A370000-0x00007FFA6AE31000-memory.dmp

Filesize
10.8MB

Download
memory/6136-10-0x0000000001380000-0x0000000001388000-memory.dmp

Filesize
32KB

Download
memory/6136-8-0x00000000013B0000-0x00000000013BA000-memory.dmp

Filesize
40KB

Download
memory/6136-4-0x0000000001340000-0x0000000001348000-memory.dmp

Filesize
32KB

Download
memory/6136-5-0x0000000001360000-0x0000000001370000-memory.dmp

Filesize
64KB

Download
memory/6136-3-0x0000000001320000-0x0000000001328000-memory.dmp

Filesize
32KB

Download
memory/6136-38-0x00007FFA6A370000-0x00007FFA6AE31000-memory.dmp

Filesize
10.8MB

Download
memory/6136-2-0x00007FFA6A370000-0x00007FFA6AE31000-memory.dmp

Filesize
10.8MB

Download
memory/6136-80-0x00007FFA6A370000-0x00007FFA6AE31000-memory.dmp

Filesize
10.8MB

Download
memory/6136-1-0x00000000009B0000-0x0000000000A7A000-memory.dmp

Filesize
808KB

Download