dcrat | 3c5d4007aabc7835b586d15313645af2e823dfad1d487cad46453dc3474e2693

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85edcd8fbc445760ff0796aa459e3c42.exe
Size

999KB
MD5

85edcd8fbc445760ff0796aa459e3c42
SHA1

bc63d62de0f20bee25246b808bf512371e9aa875
SHA256

8b7f417cdbc071fe2752a6c225154b943636ebd63674d591861251f5bdaaa292
SHA512

a192875edf98bd51e92a0a827c7b767041fa1c25595a70683f458971ff300a87404edfd9b1507220440f5e6c9704ebed07655498f27bee224d97dc56eb91525c
SSDEEP

12288:H9pLLk45WSSY1BX6f4bIS7rMNetPfC9Vs6IFGs0jxAqXj9xPSI0dzNgCoD7WX+Iu:H9pP5WS3lrMNyC9TJPCXBi

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 46 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		1220	schtasks.exe
		2324	schtasks.exe
File created	C:\Program Files\Windows Journal\es-ES\886983d96e3d3e		85edcd8fbc445760ff0796aa459e3c42.exe
		1684	schtasks.exe
		2400	schtasks.exe
		2092	schtasks.exe
		1740	schtasks.exe
		2336	schtasks.exe
		3008	schtasks.exe
		2816	schtasks.exe
		344	schtasks.exe
		1612	schtasks.exe
		544	schtasks.exe
		3032	schtasks.exe
File created	C:\Program Files\Windows Journal\es-ES\csrss.exe		85edcd8fbc445760ff0796aa459e3c42.exe
		2756	schtasks.exe
		1900	schtasks.exe
		2060	schtasks.exe
		2076	schtasks.exe
		1808	schtasks.exe
		2804	schtasks.exe
		1368	schtasks.exe
		2980	schtasks.exe
		1904	schtasks.exe
		1160	schtasks.exe
		2724	schtasks.exe
		2696	schtasks.exe
		2668	schtasks.exe
		448	schtasks.exe
		768	schtasks.exe
		2584	schtasks.exe
		2272	schtasks.exe
		304	schtasks.exe
		2456	schtasks.exe
		2880	schtasks.exe
		2520	schtasks.exe
		624	schtasks.exe
		2800	schtasks.exe
		1088	schtasks.exe
		2280	schtasks.exe
		2912	schtasks.exe
		2144	schtasks.exe
		1384	schtasks.exe
		2968	schtasks.exe
		2820	schtasks.exe
		2204	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 11 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Journal\\es-ES\\csrss.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\winlogon.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Journal\\es-ES\\csrss.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\winlogon.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\winlogon.exe\", \"C:\\Windows\\Vss\\Writers\\lsm.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Journal\\es-ES\\csrss.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\winlogon.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\winlogon.exe\", \"C:\\Windows\\Vss\\Writers\\lsm.exe\", \"C:\\Users\\All Users\\Start Menu\\winlogon.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Journal\\es-ES\\csrss.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Journal\\es-ES\\csrss.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\winlogon.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\winlogon.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Journal\\es-ES\\csrss.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\winlogon.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\winlogon.exe\", \"C:\\Windows\\Vss\\Writers\\lsm.exe\", \"C:\\Users\\All Users\\Start Menu\\winlogon.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\Idle.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Journal\\es-ES\\csrss.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\winlogon.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\winlogon.exe\", \"C:\\Windows\\Vss\\Writers\\lsm.exe\", \"C:\\Users\\All Users\\Start Menu\\winlogon.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\Idle.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\wininit.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Journal\\es-ES\\csrss.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\winlogon.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\winlogon.exe\", \"C:\\Windows\\Vss\\Writers\\lsm.exe\", \"C:\\Users\\All Users\\Start Menu\\winlogon.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\Idle.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\wininit.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WMIADAP.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Journal\\es-ES\\csrss.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Journal\\es-ES\\csrss.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\OSPPSVC.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Journal\\es-ES\\csrss.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\csrss.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe

Process spawned unexpected child process 44 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	2648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	304	2648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	2648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	2648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	2648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	2648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	2648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	2648	schtasks.exe	31

Executes dropped EXE 1 IoCs

pid	Process
2052	csrss.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Journal\\es-ES\\csrss.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\csrss.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\winlogon.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Vss\\Writers\\lsm.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\Idle.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\wininit.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WMIADAP.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\OSPPSVC.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\All Users\\Start Menu\\winlogon.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Journal\es-ES\csrss.exe	85edcd8fbc445760ff0796aa459e3c42.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\WMIADAP.exe	85edcd8fbc445760ff0796aa459e3c42.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\75a57c1bdf437c	85edcd8fbc445760ff0796aa459e3c42.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\RCX503.tmp	85edcd8fbc445760ff0796aa459e3c42.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\wininit.exe	85edcd8fbc445760ff0796aa459e3c42.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\56085415360792	85edcd8fbc445760ff0796aa459e3c42.exe
File opened for modification	C:\Program Files\Windows Journal\es-ES\RCXF124.tmp	85edcd8fbc445760ff0796aa459e3c42.exe
File opened for modification	C:\Program Files\Windows Journal\es-ES\RCXF125.tmp	85edcd8fbc445760ff0796aa459e3c42.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\wininit.exe	85edcd8fbc445760ff0796aa459e3c42.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\RCX707.tmp	85edcd8fbc445760ff0796aa459e3c42.exe
File created	C:\Program Files\Windows Journal\es-ES\886983d96e3d3e	85edcd8fbc445760ff0796aa459e3c42.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\RCX775.tmp	85edcd8fbc445760ff0796aa459e3c42.exe
File opened for modification	C:\Program Files\Windows Journal\es-ES\csrss.exe	85edcd8fbc445760ff0796aa459e3c42.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\RCX502.tmp	85edcd8fbc445760ff0796aa459e3c42.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WMIADAP.exe	85edcd8fbc445760ff0796aa459e3c42.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Vss\Writers\RCXFE88.tmp	85edcd8fbc445760ff0796aa459e3c42.exe
File opened for modification	C:\Windows\Vss\Writers\lsm.exe	85edcd8fbc445760ff0796aa459e3c42.exe
File created	C:\Windows\Vss\Writers\lsm.exe	85edcd8fbc445760ff0796aa459e3c42.exe
File created	C:\Windows\Vss\Writers\101b941d020240	85edcd8fbc445760ff0796aa459e3c42.exe
File opened for modification	C:\Windows\Vss\Writers\RCXFE87.tmp	85edcd8fbc445760ff0796aa459e3c42.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 44 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1160	schtasks.exe
624	schtasks.exe
2816	schtasks.exe
2060	schtasks.exe
2804	schtasks.exe
1740	schtasks.exe
3008	schtasks.exe
304	schtasks.exe
2280	schtasks.exe
2456	schtasks.exe
544	schtasks.exe
1904	schtasks.exe
3032	schtasks.exe
2800	schtasks.exe
1088	schtasks.exe
2144	schtasks.exe
1368	schtasks.exe
2980	schtasks.exe
1384	schtasks.exe
2756	schtasks.exe
2584	schtasks.exe
1684	schtasks.exe
344	schtasks.exe
1612	schtasks.exe
768	schtasks.exe
1220	schtasks.exe
2668	schtasks.exe
2820	schtasks.exe
1808	schtasks.exe
2520	schtasks.exe
2204	schtasks.exe
2076	schtasks.exe
2724	schtasks.exe
2968	schtasks.exe
1900	schtasks.exe
2912	schtasks.exe
2400	schtasks.exe
2092	schtasks.exe
448	schtasks.exe
2696	schtasks.exe
2324	schtasks.exe
2336	schtasks.exe
2272	schtasks.exe
2880	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1764	85edcd8fbc445760ff0796aa459e3c42.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1764	85edcd8fbc445760ff0796aa459e3c42.exe
Token: SeDebugPrivilege	2052	csrss.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 2052	1764	85edcd8fbc445760ff0796aa459e3c42.exe	76
PID 1764 wrote to memory of 2052	1764	85edcd8fbc445760ff0796aa459e3c42.exe	76
PID 1764 wrote to memory of 2052	1764	85edcd8fbc445760ff0796aa459e3c42.exe	76

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\85edcd8fbc445760ff0796aa459e3c42.exe
"C:\Users\Admin\AppData\Local\Temp\85edcd8fbc445760ff0796aa459e3c42.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Program Files\Windows Journal\es-ES\csrss.exe
  "C:\Program Files\Windows Journal\es-ES\csrss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONSTART /tr "'C:\Program Files\Windows Journal\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\es-ES\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONSTART /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONSTART /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc MINUTE /mo 7 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONSTART /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc MINUTE /mo 8 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONSTART /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc MINUTE /mo 6 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONSTART /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc MINUTE /mo 11 /tr "'C:\Windows\Vss\Writers\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONSTART /tr "'C:\Windows\Vss\Writers\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Windows\Vss\Writers\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Start Menu\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONSTART /tr "'C:\Users\All Users\Start Menu\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Start Menu\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc MINUTE /mo 13 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONSTART /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONSTART /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Office14\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONSTART /tr "'C:\Program Files (x86)\Microsoft Office\Office14\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\WMIADAP.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe

Filesize
999KB

MD5
98e956393ae2a5cd33987a905c039a83

SHA1
a22138342840f5dbf2e4c1b6ea865976f5b23d98

SHA256
bddd6d8bf6982f1c6d31b8b630058ea4bcc395b13b55e98fec61146737c37306

SHA512
3a46ed79f997c131f4a2d311af73c18f8b8b514836875adf760797ba418b737fed76e54859a6497f8c4b9cde09bc30e9ee84d8c9ecec4dd19dd9debb93eeeae6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\WMIADAP.exe

Filesize
999KB

MD5
90e9cc7a61e52dbbba23c7227780da3c

SHA1
b60c0349f315835d99f58dd7e70cf5ffe4bc59fa

SHA256
669c96488ef8730dd85483c06474fe08efe3d58f11841183259bd499d1aba84d

SHA512
6ff43e18e59bf0747f272a249727b0f48c4f7209ea4ed44896456fb0066d85cc595efadea993d91a3ca02150aa59decf03e7b5b4aa8ae59176615dedabc71daf

Download Submit
C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\RCX2FE.tmp

Filesize
999KB

MD5
cbb8749d1e9da23e8fc5ec3169a199f4

SHA1
d8dd5e33e0c3ee6163c3f92851c64ed3d43eb9a3

SHA256
0061f91a2462e8c674aadedabd7dc6e4a46c32c333b7899c1f4a735f623d1310

SHA512
490430eb64e9e6c49683f89e67c4b4363490706c0cbc0f90b99c8740a2079eb438bc963bdc79c2900f98d5048ef8572fec6a6798ed911af077c02e64c18b62e6

Download Submit
C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\winlogon.exe

Filesize
999KB

MD5
85edcd8fbc445760ff0796aa459e3c42

SHA1
bc63d62de0f20bee25246b808bf512371e9aa875

SHA256
8b7f417cdbc071fe2752a6c225154b943636ebd63674d591861251f5bdaaa292

SHA512
a192875edf98bd51e92a0a827c7b767041fa1c25595a70683f458971ff300a87404edfd9b1507220440f5e6c9704ebed07655498f27bee224d97dc56eb91525c

Download Submit
memory/1764-4-0x00000000002E0000-0x00000000002F0000-memory.dmp

Filesize
64KB

Download
memory/1764-5-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/1764-6-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/1764-7-0x0000000000310000-0x000000000031C000-memory.dmp

Filesize
48KB

Download
memory/1764-8-0x0000000000520000-0x000000000052E000-memory.dmp

Filesize
56KB

Download
memory/1764-9-0x0000000000530000-0x000000000053C000-memory.dmp

Filesize
48KB

Download
memory/1764-10-0x0000000000540000-0x000000000054C000-memory.dmp

Filesize
48KB

Download
memory/1764-0-0x000007FEF55E3000-0x000007FEF55E4000-memory.dmp

Filesize
4KB

Download
memory/1764-3-0x00000000001C0000-0x00000000001DC000-memory.dmp

Filesize
112KB

Download
memory/1764-2-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/1764-1-0x00000000001E0000-0x00000000002E0000-memory.dmp

Filesize
1024KB

Download
memory/1764-163-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/2052-162-0x0000000000BE0000-0x0000000000CE0000-memory.dmp

Filesize
1024KB

Download