dcrat | 374290f4bc29e1d5a3295b8f23c281393075beae64db51cd5a5e96c03f9ef8b0

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 08:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Crack.exe
Size

3.5MB
MD5

4bf2b73b872ff49fbffe6ff7a73f97a8
SHA1

6c4e33d77e9b7a85b140048f4711d52380d866fc
SHA256

374290f4bc29e1d5a3295b8f23c281393075beae64db51cd5a5e96c03f9ef8b0
SHA512

17821b08818ca4d81385a90f0c911f49bbcdb49d7793e26c53752c2a4f0281a435400a69dc9217b8c53d4209be8f9509cd775e42e1c2af5b1729f83f1a7f2695
SSDEEP

49152:/bA3Ds2r2n5E4UfeAn6ITBLXenQ36kxLGKlHbR7WKzjznJbRVL0x4FCE1zsbq0PI:/bW2nQt6x6l7WUXJ5FhNsW0w

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat 16 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exefontreview.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2024	schtasks.exe
240	schtasks.exe
1576	schtasks.exe
1484	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontreview.exe
2824	schtasks.exe
2228	schtasks.exe
1988	schtasks.exe
1408	schtasks.exe
1244	schtasks.exe
2608	schtasks.exe
688	schtasks.exe
112	schtasks.exe
540	schtasks.exe
2732	schtasks.exe
1040	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

fontreview.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\smss.exe\""	fontreview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\smss.exe\", \"C:\\Program Files\\Google\\dwm.exe\""	fontreview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\smss.exe\", \"C:\\Program Files\\Google\\dwm.exe\", \"C:\\Windows\\ja-JP\\audiodg.exe\""	fontreview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\wscript.exe\""	fontreview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\smss.exe\""	fontreview.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2348	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	240	2348	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2348	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	2348	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2348	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	2348	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	2348	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2348	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2348	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2348	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2348	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2348	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	2348	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2348	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2348	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

smss.exefontreview.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Media\fontreview.exe	dcrat
behavioral1/memory/2920-18-0x00000000001B0000-0x00000000004FA000-memory.dmp	dcrat
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RCX3C1B.tmp	dcrat
C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\smss.exe	dcrat
behavioral1/memory/816-131-0x0000000001370000-0x00000000016BA000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

Processes:

fontreview.exesmss.exe

pid process

2920 fontreview.exe
816 smss.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2748 cmd.exe
2748 cmd.exe

pid	process
2748	cmd.exe
2748	cmd.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fontreview.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\smss.exe\""	fontreview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Google\\dwm.exe\""	fontreview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\ja-JP\\audiodg.exe\""	fontreview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\smss.exe\""	fontreview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\smss.exe\""	fontreview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Google\\dwm.exe\""	fontreview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\ja-JP\\audiodg.exe\""	fontreview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\wscript.exe\""	fontreview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\wscript.exe\""	fontreview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\smss.exe\""	fontreview.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

fontreview.exesmss.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontreview.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com

flow	ioc
4	ip-api.com

Drops file in Program Files directory 5 IoCs

Processes:

fontreview.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\RCX40B0.tmp	fontreview.exe
File opened for modification	C:\Program Files\Google\RCX40B1.tmp	fontreview.exe
File opened for modification	C:\Program Files\Google\dwm.exe	fontreview.exe
File created	C:\Program Files\Google\dwm.exe	fontreview.exe
File created	C:\Program Files\Google\6cb0b6c459d5d3	fontreview.exe

Drops file in Windows directory 5 IoCs

Processes:

fontreview.exe

description	ioc	process
File created	C:\Windows\ja-JP\audiodg.exe	fontreview.exe
File created	C:\Windows\ja-JP\42af1c969fbb7b	fontreview.exe
File opened for modification	C:\Windows\ja-JP\RCX4351.tmp	fontreview.exe
File opened for modification	C:\Windows\ja-JP\RCX43BF.tmp	fontreview.exe
File opened for modification	C:\Windows\ja-JP\audiodg.exe	fontreview.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1244	schtasks.exe
2608	schtasks.exe
2228	schtasks.exe
240	schtasks.exe
112	schtasks.exe
540	schtasks.exe
1408	schtasks.exe
1576	schtasks.exe
2024	schtasks.exe
2824	schtasks.exe
1484	schtasks.exe
688	schtasks.exe
1988	schtasks.exe
2732	schtasks.exe
1040	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fontreview.exesmss.exe

pid	process
2920	fontreview.exe
2920	fontreview.exe
2920	fontreview.exe
2920	fontreview.exe
2920	fontreview.exe
2920	fontreview.exe
2920	fontreview.exe
2920	fontreview.exe
2920	fontreview.exe
2920	fontreview.exe
2920	fontreview.exe
2920	fontreview.exe
2920	fontreview.exe
2920	fontreview.exe
2920	fontreview.exe
2920	fontreview.exe
2920	fontreview.exe
2920	fontreview.exe
2920	fontreview.exe
2920	fontreview.exe
2920	fontreview.exe
2920	fontreview.exe
2920	fontreview.exe
816	smss.exe
816	smss.exe
816	smss.exe
816	smss.exe
816	smss.exe
816	smss.exe
816	smss.exe
816	smss.exe
816	smss.exe
816	smss.exe
816	smss.exe
816	smss.exe
816	smss.exe
816	smss.exe
816	smss.exe
816	smss.exe
816	smss.exe
816	smss.exe
816	smss.exe
816	smss.exe
816	smss.exe
816	smss.exe
816	smss.exe
816	smss.exe
816	smss.exe
816	smss.exe
816	smss.exe
816	smss.exe
816	smss.exe
816	smss.exe
816	smss.exe
816	smss.exe
816	smss.exe
816	smss.exe
816	smss.exe
816	smss.exe
816	smss.exe
816	smss.exe
816	smss.exe
816	smss.exe
816	smss.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

smss.exe

pid process

816 smss.exe

pid	process
816	smss.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

fontreview.exesmss.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2920	fontreview.exe
Token: SeDebugPrivilege	816	smss.exe
Token: SeBackupPrivilege	2176	vssvc.exe
Token: SeRestorePrivilege	2176	vssvc.exe
Token: SeAuditPrivilege	2176	vssvc.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

Crack.exeWScript.execmd.exefontreview.execmd.exesmss.exe

description	pid	process	target process
PID 2932 wrote to memory of 2928	2932	Crack.exe	WScript.exe
PID 2932 wrote to memory of 2928	2932	Crack.exe	WScript.exe
PID 2932 wrote to memory of 2928	2932	Crack.exe	WScript.exe
PID 2932 wrote to memory of 2928	2932	Crack.exe	WScript.exe
PID 2932 wrote to memory of 2512	2932	Crack.exe	WScript.exe
PID 2932 wrote to memory of 2512	2932	Crack.exe	WScript.exe
PID 2932 wrote to memory of 2512	2932	Crack.exe	WScript.exe
PID 2932 wrote to memory of 2512	2932	Crack.exe	WScript.exe
PID 2928 wrote to memory of 2748	2928	WScript.exe	cmd.exe
PID 2928 wrote to memory of 2748	2928	WScript.exe	cmd.exe
PID 2928 wrote to memory of 2748	2928	WScript.exe	cmd.exe
PID 2928 wrote to memory of 2748	2928	WScript.exe	cmd.exe
PID 2748 wrote to memory of 2920	2748	cmd.exe	fontreview.exe
PID 2748 wrote to memory of 2920	2748	cmd.exe	fontreview.exe
PID 2748 wrote to memory of 2920	2748	cmd.exe	fontreview.exe
PID 2748 wrote to memory of 2920	2748	cmd.exe	fontreview.exe
PID 2920 wrote to memory of 1672	2920	fontreview.exe	cmd.exe
PID 2920 wrote to memory of 1672	2920	fontreview.exe	cmd.exe
PID 2920 wrote to memory of 1672	2920	fontreview.exe	cmd.exe
PID 1672 wrote to memory of 1940	1672	cmd.exe	w32tm.exe
PID 1672 wrote to memory of 1940	1672	cmd.exe	w32tm.exe
PID 1672 wrote to memory of 1940	1672	cmd.exe	w32tm.exe
PID 1672 wrote to memory of 816	1672	cmd.exe	smss.exe
PID 1672 wrote to memory of 816	1672	cmd.exe	smss.exe
PID 1672 wrote to memory of 816	1672	cmd.exe	smss.exe
PID 816 wrote to memory of 1712	816	smss.exe	WScript.exe
PID 816 wrote to memory of 1712	816	smss.exe	WScript.exe
PID 816 wrote to memory of 1712	816	smss.exe	WScript.exe
PID 816 wrote to memory of 1632	816	smss.exe	WScript.exe
PID 816 wrote to memory of 1632	816	smss.exe	WScript.exe
PID 816 wrote to memory of 1632	816	smss.exe	WScript.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

smss.exefontreview.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Crack.exe
"C:\Users\Admin\AppData\Local\Temp\Crack.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2932

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Media\ptTa5jsNCfUXu0BBuzB.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2928

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Media\r8iyEc3qvUngPTm4Ix.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748

C:\Users\Admin\AppData\Roaming\Media\fontreview.exe
"C:\Users\Admin\AppData\Roaming\Media\fontreview.exe"
4⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2920

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JBhaqFKSfb.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:1940

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe
"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe"
6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:816

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\490c7e70-82b4-4b66-9603-b39648369662.vbs"
7⤵
PID:1712

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1d0b0c8-ac2a-41fc-9afe-59cba079a48c.vbs"
7⤵
PID:1632

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Media\file.vbs"
2⤵
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 14 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\wscript.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\wscript.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 12 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\wscript.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Google\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Windows\ja-JP\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\ja-JP\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Windows\ja-JP\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:344

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RCX3C1B.tmp
Filesize
3.3MB

MD5
553b95b8cf4fc79cf8731c931dc80b5b

SHA1
3b61ea6d4d25355cd3b0bbf4f8db66aa335a73dd

SHA256
e04e0c0b8d9adb45df5e4f016e961ed055feed1bed4c73060427a6687fc01c35

SHA512
27d2d52d2cdd6eb4cf6480b9d5999368a14b159d82219777df34527bdeb428a15b1f62ae806e8a8bd2499aad6262a5a558a42ddc3bfd68532c5a9ae60ad6612e

Download Submit
C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\smss.exe
Filesize
3.3MB

MD5
2975bf45db25ea1f2afb84610e60ac3b

SHA1
0e08282f875d384de965e38957aff791b3cb7b25

SHA256
d1c75efc8480954bc1b567bd9e04306d930448923c9c8ee1f210ba5e2d0c902c

SHA512
270bad378c44dae68bfaefceebf851290c08183079bd0947e1ca0bea6bc07abb908f8f0ebde0e9f27d2036bc85e7982f56039d1e7cde9a88d837fb022976049e

Download Submit
C:\Users\Admin\AppData\Local\Temp\490c7e70-82b4-4b66-9603-b39648369662.vbs
Filesize
746B

MD5
670dd42efbe7197c0f152f811d8a0f23

SHA1
9a13835b4b19105d5c9663a0bc9ff0a43c51014d

SHA256
f6e5223040106272582de4461ca9f0e57d8e325239c65d8c8cc762a398994690

SHA512
c893c467fdc5d6660180a4366c842701d540f8babeecf5130ca137e318fda1b57ade9d1f6ddc4a96afe0c30ba2034f679f5469ce03461db4043abed14c88597c

Download Submit
C:\Users\Admin\AppData\Local\Temp\JBhaqFKSfb.bat
Filesize
236B

MD5
a455ca89f67b0e2d744dfc3592d3b5ff

SHA1
575a7db035c9a56cd5cef5150c366cb99db188e0

SHA256
023006c5dee281e91f77416db83e0b420a43cc5cb5b3a48d0ae0213f0d3da277

SHA512
bc90906dac1e455bae226a2bab1e2a7c6e7d4523cc9b939e2e8a20da10f5bace344196142f1e8646f9b2e0f35ab5fc37b362fe5838ee1c94b5d260e8bf2bbe60

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1d0b0c8-ac2a-41fc-9afe-59cba079a48c.vbs
Filesize
523B

MD5
33249fc1f2aa39fd7d2b6c1735fb8264

SHA1
f94b1d19f743dbe4b5a0b858e5467308a7dafab3

SHA256
1321401794511f615a89b9e5c3a45b30a60ac2b99243a7d060f5151fff1cae0e

SHA512
507f01395b9213e2af70476696fd60aa510a59cf8315f6b8fcc607a7c5df264b3ac3de7bc7f28cf63806d60d05236a0eb3a84b46f5f36fb47dd844b4e707bd49

Download Submit
C:\Users\Admin\AppData\Roaming\Media\file.vbs
Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\Users\Admin\AppData\Roaming\Media\fontreview.exe
Filesize
3.3MB

MD5
ee603f48c1f35659899993e21fd33d8f

SHA1
86ee8bd079b178b31df3522c08a040aac575a6c6

SHA256
f76ce5581a109be6e0d8358e0dc15a8dea066cb27256628a315e6edd94264b0c

SHA512
02ea39ee7d7cd30a588846d3da89ed89b8a4f322b1a58db1753633fd20d9066d2921bfe5685322f79c76d6466190fd34b8555f14363ed2607f759d64c254b0d8

Download Submit
C:\Users\Admin\AppData\Roaming\Media\ptTa5jsNCfUXu0BBuzB.vbe
Filesize
204B

MD5
022c5590f72d752d578df8eb3f03d355

SHA1
9519d3ea40324448e06863b196dd23e7d4a12dac

SHA256
8c2161c0de7a3e07e53766e6e267fe23f98c2cdeef31220eaa68be1bf48e0eb7

SHA512
269369042c72fc985823e7938cd8635bf85f9c59e07a3065742321d7639c3a7865b807470ffb4efabb5573ecb1413463c0d270a6aa309786905286b6ad6db01a

Download Submit
C:\Users\Admin\AppData\Roaming\Media\r8iyEc3qvUngPTm4Ix.bat
Filesize
32B

MD5
c1ba58455a6a3970b127d9a7e1314cf0

SHA1
9855d4f713ba963f0976df6d5e1616d471265b70

SHA256
f1fc9c92abe5e1a915c0f3dfdbe9df00bc60a6163025574a33c1e48a8ae9eefb

SHA512
56a782da20e4e5e4233a530e32f564e94dfd4cb0643b7a63d07d6f3f4ef51ae0cbf0cff21cc9472b5ff0774afc753151a3da40871d1559ccd340307dfc9edd0c

Download Submit
memory/816-133-0x00000000012E0000-0x00000000012F2000-memory.dmp

Filesize
72KB

Download
memory/816-132-0x000000001B060000-0x000000001B0B6000-memory.dmp

Filesize
344KB

Download
memory/816-131-0x0000000001370000-0x00000000016BA000-memory.dmp

Filesize
3.3MB

Download
memory/2920-33-0x000000001B280000-0x000000001B288000-memory.dmp

Filesize
32KB

Download
memory/2920-43-0x000000001B520000-0x000000001B52C000-memory.dmp

Filesize
48KB

Download
memory/2920-28-0x000000001B060000-0x000000001B068000-memory.dmp

Filesize
32KB

Download
memory/2920-29-0x000000001B070000-0x000000001B080000-memory.dmp

Filesize
64KB

Download
memory/2920-30-0x000000001B090000-0x000000001B09A000-memory.dmp

Filesize
40KB

Download
memory/2920-31-0x000000001B0A0000-0x000000001B0F6000-memory.dmp

Filesize
344KB

Download
memory/2920-32-0x000000001B270000-0x000000001B27C000-memory.dmp

Filesize
48KB

Download
memory/2920-36-0x000000001B2B0000-0x000000001B2C2000-memory.dmp

Filesize
72KB

Download
memory/2920-35-0x000000001B2A0000-0x000000001B2A8000-memory.dmp

Filesize
32KB

Download
memory/2920-34-0x000000001B290000-0x000000001B29C000-memory.dmp

Filesize
48KB

Download
memory/2920-26-0x000000001AE50000-0x000000001AE62000-memory.dmp

Filesize
72KB

Download
memory/2920-37-0x000000001B2C0000-0x000000001B2CC000-memory.dmp

Filesize
48KB

Download
memory/2920-38-0x000000001B350000-0x000000001B35C000-memory.dmp

Filesize
48KB

Download
memory/2920-39-0x000000001B360000-0x000000001B368000-memory.dmp

Filesize
32KB

Download
memory/2920-40-0x000000001B4F0000-0x000000001B4FC000-memory.dmp

Filesize
48KB

Download
memory/2920-41-0x000000001B500000-0x000000001B50C000-memory.dmp

Filesize
48KB

Download
memory/2920-42-0x000000001B510000-0x000000001B518000-memory.dmp

Filesize
32KB

Download
memory/2920-27-0x000000001B080000-0x000000001B08C000-memory.dmp

Filesize
48KB

Download
memory/2920-44-0x000000001B530000-0x000000001B53A000-memory.dmp

Filesize
40KB

Download
memory/2920-45-0x000000001B540000-0x000000001B54E000-memory.dmp

Filesize
56KB

Download
memory/2920-46-0x000000001B550000-0x000000001B558000-memory.dmp

Filesize
32KB

Download
memory/2920-48-0x000000001B570000-0x000000001B57C000-memory.dmp

Filesize
48KB

Download
memory/2920-47-0x000000001B560000-0x000000001B568000-memory.dmp

Filesize
32KB

Download
memory/2920-49-0x000000001B580000-0x000000001B588000-memory.dmp

Filesize
32KB

Download
memory/2920-50-0x000000001B590000-0x000000001B59A000-memory.dmp

Filesize
40KB

Download
memory/2920-51-0x000000001B6A0000-0x000000001B6AC000-memory.dmp

Filesize
48KB

Download
memory/2920-25-0x000000001AE40000-0x000000001AE48000-memory.dmp

Filesize
32KB

Download
memory/2920-24-0x000000001AD20000-0x000000001AD36000-memory.dmp

Filesize
88KB

Download
memory/2920-23-0x0000000002230000-0x0000000002240000-memory.dmp

Filesize
64KB

Download
memory/2920-22-0x0000000000880000-0x0000000000888000-memory.dmp

Filesize
32KB

Download
memory/2920-21-0x000000001AD00000-0x000000001AD1C000-memory.dmp

Filesize
112KB

Download
memory/2920-20-0x00000000007F0000-0x00000000007F8000-memory.dmp

Filesize
32KB

Download
memory/2920-19-0x00000000005A0000-0x00000000005AE000-memory.dmp

Filesize
56KB

Download
memory/2920-18-0x00000000001B0000-0x00000000004FA000-memory.dmp

Filesize
3.3MB

Download