dcrat | 32619382ab72416dff258bff30a8b505d6e69e818345612892a121c28f3b23b0

Analysis

max time kernel
122s
max time network
147s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21cad48edbc93da2d1e1ab6f6632461a.exe
Size

6.8MB
MD5

21cad48edbc93da2d1e1ab6f6632461a
SHA1

667a584eae5a57937d66d64249c26c8b1b2abf8f
SHA256

32619382ab72416dff258bff30a8b505d6e69e818345612892a121c28f3b23b0
SHA512

9125263a9b31336d350e19f9c79460038f7a6c48db109001e93fd8d7e8aba30c3bf44a362c4f3ee87294d3cf9052cbc8d7da518d34356212cb6f914a9990a21d
SSDEEP

196608:UQKQUc/HMlS2JxmYcmcg7XGqb6Msq51GPo:XKwslSDVoXGe1GQ

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat 43 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe21cad48edbc93da2d1e1ab6f6632461a.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2336	schtasks.exe
1000	schtasks.exe
2032	schtasks.exe
408	schtasks.exe
1564	schtasks.exe
624	schtasks.exe
1624	schtasks.exe
3036	schtasks.exe
1944	schtasks.exe
764	schtasks.exe
1688	schtasks.exe
796	schtasks.exe
2324	schtasks.exe
2828	schtasks.exe
924	schtasks.exe
2412	schtasks.exe
900	schtasks.exe
2104	schtasks.exe
Key opened	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Office\14.0\Common	21cad48edbc93da2d1e1ab6f6632461a.exe
1780	schtasks.exe
1260	schtasks.exe
2372	schtasks.exe
1600	schtasks.exe
2216	schtasks.exe
2384	schtasks.exe
2008	schtasks.exe
2604	schtasks.exe
2148	schtasks.exe
2068	schtasks.exe
1116	schtasks.exe
1640	schtasks.exe
1800	schtasks.exe
856	schtasks.exe
268	schtasks.exe
1044	schtasks.exe
992	schtasks.exe
1040	schtasks.exe
2156	schtasks.exe
1864	schtasks.exe
2912	schtasks.exe
540	schtasks.exe
1876	schtasks.exe
1744	schtasks.exe

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	268	2012	schtasks.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Modrinth.exe	dcrat
behavioral1/memory/1700-9-0x0000000000400000-0x0000000000AD7000-memory.dmp	dcrat
\intosessionperfcrtSvc\Componentwebfont.exe	dcrat
behavioral1/memory/2824-61-0x0000000001240000-0x0000000001374000-memory.dmp	dcrat
behavioral1/memory/2636-100-0x0000000000A60000-0x0000000000B94000-memory.dmp	dcrat

Executes dropped EXE 3 IoCs

Processes:

Modrinth.exeComponentwebfont.exeSystem.exe

pid process

2328 Modrinth.exe
2824 Componentwebfont.exe
2636 System.exe
Loads dropped DLL 3 IoCs

Processes:

21cad48edbc93da2d1e1ab6f6632461a.execmd.exe

pid process

1700 21cad48edbc93da2d1e1ab6f6632461a.exe
1460 cmd.exe
1460 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Blocklisted process makes network request 3 IoCs

Processes:

msiexec.exe

flow pid process

3 2288 msiexec.exe
5 2288 msiexec.exe
7 2288 msiexec.exe

pid	process
2328	Modrinth.exe
2824	Componentwebfont.exe
2636	System.exe

pid	process
1700	21cad48edbc93da2d1e1ab6f6632461a.exe
1460	cmd.exe
1460	cmd.exe

flow	pid	process
3	2288	msiexec.exe
5	2288	msiexec.exe
7	2288	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in Program Files directory 6 IoCs

Processes:

Componentwebfont.exe

description	ioc	process
File created	C:\Program Files\MSBuild\Microsoft\c5b4cb5e9653cc	Componentwebfont.exe
File created	C:\Program Files\Windows NT\TableTextService\services.exe	Componentwebfont.exe
File created	C:\Program Files\Windows NT\TableTextService\c5b4cb5e9653cc	Componentwebfont.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\System.exe	Componentwebfont.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\27d1bcfc3c54e0	Componentwebfont.exe
File created	C:\Program Files\MSBuild\Microsoft\services.exe	Componentwebfont.exe

Drops file in Windows directory 5 IoCs

Processes:

Componentwebfont.exe

description	ioc	process
File created	C:\Windows\PolicyDefinitions\it-IT\spoolsv.exe	Componentwebfont.exe
File created	C:\Windows\PolicyDefinitions\it-IT\f3b6ecef712a24	Componentwebfont.exe
File created	C:\Windows\schemas\EAPHost\wininit.exe	Componentwebfont.exe
File created	C:\Windows\DigitalLocker\it-IT\smss.exe	Componentwebfont.exe
File created	C:\Windows\DigitalLocker\it-IT\69ddcba757bf72	Componentwebfont.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
408	schtasks.exe
2156	schtasks.exe
924	schtasks.exe
856	schtasks.exe
1624	schtasks.exe
2104	schtasks.exe
2068	schtasks.exe
1864	schtasks.exe
1260	schtasks.exe
1688	schtasks.exe
900	schtasks.exe
2828	schtasks.exe
624	schtasks.exe
1600	schtasks.exe
268	schtasks.exe
1780	schtasks.exe
1876	schtasks.exe
2008	schtasks.exe
1744	schtasks.exe
3036	schtasks.exe
2912	schtasks.exe
2604	schtasks.exe
764	schtasks.exe
1116	schtasks.exe
2372	schtasks.exe
1944	schtasks.exe
1040	schtasks.exe
1564	schtasks.exe
1640	schtasks.exe
2336	schtasks.exe
2412	schtasks.exe
2384	schtasks.exe
1800	schtasks.exe
2148	schtasks.exe
1044	schtasks.exe
992	schtasks.exe
2032	schtasks.exe
2216	schtasks.exe
2324	schtasks.exe
1000	schtasks.exe
796	schtasks.exe
540	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

Componentwebfont.exeSystem.exe

pid	process
2824	Componentwebfont.exe
2824	Componentwebfont.exe
2824	Componentwebfont.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe
2636	System.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

msiexec.exeSystem.exe

pid process

2288 msiexec.exe
2636 System.exe

pid	process
2288	msiexec.exe
2636	System.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

msiexec.exemsiexec.exeComponentwebfont.exeSystem.exe

description	pid	process
Token: SeShutdownPrivilege	2288	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2288	msiexec.exe
Token: SeRestorePrivilege	2376	msiexec.exe
Token: SeTakeOwnershipPrivilege	2376	msiexec.exe
Token: SeSecurityPrivilege	2376	msiexec.exe
Token: SeCreateTokenPrivilege	2288	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2288	msiexec.exe
Token: SeLockMemoryPrivilege	2288	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2288	msiexec.exe
Token: SeMachineAccountPrivilege	2288	msiexec.exe
Token: SeTcbPrivilege	2288	msiexec.exe
Token: SeSecurityPrivilege	2288	msiexec.exe
Token: SeTakeOwnershipPrivilege	2288	msiexec.exe
Token: SeLoadDriverPrivilege	2288	msiexec.exe
Token: SeSystemProfilePrivilege	2288	msiexec.exe
Token: SeSystemtimePrivilege	2288	msiexec.exe
Token: SeProfSingleProcessPrivilege	2288	msiexec.exe
Token: SeIncBasePriorityPrivilege	2288	msiexec.exe
Token: SeCreatePagefilePrivilege	2288	msiexec.exe
Token: SeCreatePermanentPrivilege	2288	msiexec.exe
Token: SeBackupPrivilege	2288	msiexec.exe
Token: SeRestorePrivilege	2288	msiexec.exe
Token: SeShutdownPrivilege	2288	msiexec.exe
Token: SeDebugPrivilege	2288	msiexec.exe
Token: SeAuditPrivilege	2288	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2288	msiexec.exe
Token: SeChangeNotifyPrivilege	2288	msiexec.exe
Token: SeRemoteShutdownPrivilege	2288	msiexec.exe
Token: SeUndockPrivilege	2288	msiexec.exe
Token: SeSyncAgentPrivilege	2288	msiexec.exe
Token: SeEnableDelegationPrivilege	2288	msiexec.exe
Token: SeManageVolumePrivilege	2288	msiexec.exe
Token: SeImpersonatePrivilege	2288	msiexec.exe
Token: SeCreateGlobalPrivilege	2288	msiexec.exe
Token: SeDebugPrivilege	2824	Componentwebfont.exe
Token: SeDebugPrivilege	2636	System.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

2288 msiexec.exe

pid	process
2288	msiexec.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

21cad48edbc93da2d1e1ab6f6632461a.exeModrinth.exeWScript.execmd.exeComponentwebfont.exe

description	pid	process	target process
PID 1700 wrote to memory of 2328	1700	21cad48edbc93da2d1e1ab6f6632461a.exe	Modrinth.exe
PID 1700 wrote to memory of 2328	1700	21cad48edbc93da2d1e1ab6f6632461a.exe	Modrinth.exe
PID 1700 wrote to memory of 2328	1700	21cad48edbc93da2d1e1ab6f6632461a.exe	Modrinth.exe
PID 1700 wrote to memory of 2328	1700	21cad48edbc93da2d1e1ab6f6632461a.exe	Modrinth.exe
PID 1700 wrote to memory of 2288	1700	21cad48edbc93da2d1e1ab6f6632461a.exe	msiexec.exe
PID 1700 wrote to memory of 2288	1700	21cad48edbc93da2d1e1ab6f6632461a.exe	msiexec.exe
PID 1700 wrote to memory of 2288	1700	21cad48edbc93da2d1e1ab6f6632461a.exe	msiexec.exe
PID 1700 wrote to memory of 2288	1700	21cad48edbc93da2d1e1ab6f6632461a.exe	msiexec.exe
PID 1700 wrote to memory of 2288	1700	21cad48edbc93da2d1e1ab6f6632461a.exe	msiexec.exe
PID 1700 wrote to memory of 2288	1700	21cad48edbc93da2d1e1ab6f6632461a.exe	msiexec.exe
PID 1700 wrote to memory of 2288	1700	21cad48edbc93da2d1e1ab6f6632461a.exe	msiexec.exe
PID 2328 wrote to memory of 2692	2328	Modrinth.exe	WScript.exe
PID 2328 wrote to memory of 2692	2328	Modrinth.exe	WScript.exe
PID 2328 wrote to memory of 2692	2328	Modrinth.exe	WScript.exe
PID 2328 wrote to memory of 2692	2328	Modrinth.exe	WScript.exe
PID 2692 wrote to memory of 1460	2692	WScript.exe	cmd.exe
PID 2692 wrote to memory of 1460	2692	WScript.exe	cmd.exe
PID 2692 wrote to memory of 1460	2692	WScript.exe	cmd.exe
PID 2692 wrote to memory of 1460	2692	WScript.exe	cmd.exe
PID 1460 wrote to memory of 2824	1460	cmd.exe	Componentwebfont.exe
PID 1460 wrote to memory of 2824	1460	cmd.exe	Componentwebfont.exe
PID 1460 wrote to memory of 2824	1460	cmd.exe	Componentwebfont.exe
PID 1460 wrote to memory of 2824	1460	cmd.exe	Componentwebfont.exe
PID 2824 wrote to memory of 2636	2824	Componentwebfont.exe	System.exe
PID 2824 wrote to memory of 2636	2824	Componentwebfont.exe	System.exe
PID 2824 wrote to memory of 2636	2824	Componentwebfont.exe	System.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\21cad48edbc93da2d1e1ab6f6632461a.exe
"C:\Users\Admin\AppData\Local\Temp\21cad48edbc93da2d1e1ab6f6632461a.exe"
1⤵
- DcRat
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\Local\Temp\Modrinth.exe
"C:\Users\Admin\AppData\Local\Temp\Modrinth.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intosessionperfcrtSvc\x6qhfc.vbe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\intosessionperfcrtSvc\QvJVxLMgIdUXKZXo3vjvMJd9h.bat" "
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1460

C:\intosessionperfcrtSvc\Componentwebfont.exe
"C:\intosessionperfcrtSvc\Componentwebfont.exe"
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824

C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Modrinth App_0.7.1_x64_en-US.msi"
2⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2288

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msiexecm" /sc MINUTE /mo 7 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\msiexec.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msiexec" /sc ONLOGON /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\msiexec.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msiexecm" /sc MINUTE /mo 9 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\msiexec.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\TableTextService\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\TableTextService\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\intosessionperfcrtSvc\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\intosessionperfcrtSvc\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\intosessionperfcrtSvc\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\DigitalLocker\it-IT\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\DigitalLocker\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\PolicyDefinitions\it-IT\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\PolicyDefinitions\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:268

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab12B8.tmp
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Modrinth App_0.7.1_x64_en-US.msi
Filesize
5.0MB

MD5
5003486a784143bc96c3577172bbb44a

SHA1
9a960998807126041fae5b4fe9488d7ff3c5ca42

SHA256
b1ac36000cee14b9c36aea4cef7f53ed2e7c18c9534b4ff66f07da11e8c07b59

SHA512
3fd871414cffe35ae649dbb02935eddcad75ee094f2d61f2cef48827dfb852ff3b8e4211f913bf65e4619b2a4989a2807d876a920a105735ac3e59362802ee19

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1431.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\intosessionperfcrtSvc\QvJVxLMgIdUXKZXo3vjvMJd9h.bat
Filesize
47B

MD5
ff5c5922fce8aef2b2169426de756ecc

SHA1
1bb7f0446529c29bae7cbf2f69f7038174dc82dc

SHA256
30c583f42f076c1308bb0e98d1614c3ada94b7c3415413b4aca3a23d1fd3a171

SHA512
4415ca2688f2451fb359bca04427caf647c9724db1f2738ccb280de5716262358e58bf6aab317d30504fd34d10528d57f08214a0a974c059f7a2a38cc80cfe61

Download Submit
C:\intosessionperfcrtSvc\x6qhfc.vbe
Filesize
223B

MD5
f2015b7ecf00bd67c413b1c7cf459beb

SHA1
c76006f8d6e51a4ba90dbdc718838df74ce98785

SHA256
cddddda87b944983edbf6cd8594665f18c81fab3605334f569a9185ee06a5e46

SHA512
d37aaead1a61f22f92b0725f380ff94e2fe17d41bf15ef0c65388e77d10a806a4b411df1e8b38857736e6f37e12f10ea6cb48361fee8086050d1d15100bdb24d

Download Submit
\Users\Admin\AppData\Local\Temp\Modrinth.exe
Filesize
1.6MB

MD5
24f86edba8782175bb4583a8ca79ea5a

SHA1
b3acfb862923762902bccaf7920afe9e627a4868

SHA256
17b6cee122e0e8aec959b45f83646d5f7e4e2657677ecbb17ffbaad33d3d5c0b

SHA512
ec3089f6b115a908ede383372277beb36eddc4daa1e8e5e66c7ea87f09578937528028f1087f75409e745a905d4de92e8b3afb2d51c509b7cc1961713039e417

Download Submit
\intosessionperfcrtSvc\Componentwebfont.exe
Filesize
1.2MB

MD5
4830c66c5387bfaa6373a25814227c96

SHA1
078b04372a13022208dfe05e40377e76b03fc3e2

SHA256
b9bf137b0ca0aa62f1bdf06327b54d32e26e51b821fa812f5121e8918186fc7f

SHA512
ed42ce5fad26561ed76c181beac01bbc0c9d88ea631e6af6920c04115887e24c8261658842fc3a8cfb9294b86a7008493d9f9c11a72908abc95af48b58f0d5eb

Download Submit
memory/1700-9-0x0000000000400000-0x0000000000AD7000-memory.dmp

Filesize
6.8MB

Download
memory/2636-100-0x0000000000A60000-0x0000000000B94000-memory.dmp

Filesize
1.2MB

Download
memory/2824-61-0x0000000001240000-0x0000000001374000-memory.dmp

Filesize
1.2MB

Download
memory/2824-62-0x0000000000330000-0x000000000034C000-memory.dmp

Filesize
112KB

Download
memory/2824-63-0x0000000000350000-0x0000000000358000-memory.dmp

Filesize
32KB

Download
memory/2824-64-0x0000000000360000-0x0000000000376000-memory.dmp

Filesize
88KB

Download
memory/2824-65-0x0000000000610000-0x000000000061C000-memory.dmp

Filesize
48KB

Download