dcrat | 374290f4bc29e1d5a3295b8f23c281393075beae64db51cd5a5e96c03f9ef8b0

Analysis

max time kernel
51s
max time network
59s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 08:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Crack.exe
Size

3.5MB
MD5

4bf2b73b872ff49fbffe6ff7a73f97a8
SHA1

6c4e33d77e9b7a85b140048f4711d52380d866fc
SHA256

374290f4bc29e1d5a3295b8f23c281393075beae64db51cd5a5e96c03f9ef8b0
SHA512

17821b08818ca4d81385a90f0c911f49bbcdb49d7793e26c53752c2a4f0281a435400a69dc9217b8c53d4209be8f9509cd775e42e1c2af5b1729f83f1a7f2695
SSDEEP

49152:/bA3Ds2r2n5E4UfeAn6ITBLXenQ36kxLGKlHbR7WKzjznJbRVL0x4FCE1zsbq0PI:/bW2nQt6x6l7WUXJ5FhNsW0w

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat 38 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

fontreview.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeCrack.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\e6c9b481da804f	fontreview.exe
2668	schtasks.exe
924	schtasks.exe
4068	schtasks.exe
3320	schtasks.exe
1504	schtasks.exe
4024	schtasks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Crack.exe
5052	schtasks.exe
3684	schtasks.exe
548	schtasks.exe
3976	schtasks.exe
2740	schtasks.exe
4580	schtasks.exe
1044	schtasks.exe
1000	schtasks.exe
1344	schtasks.exe
1216	schtasks.exe
1124	schtasks.exe
2388	schtasks.exe
1512	schtasks.exe
2832	schtasks.exe
3836	schtasks.exe
3380	schtasks.exe
2172	schtasks.exe
4928	schtasks.exe
1180	schtasks.exe
3196	schtasks.exe
4524	schtasks.exe
4064	schtasks.exe
744	schtasks.exe
764	schtasks.exe
3128	schtasks.exe
3028	schtasks.exe
452	schtasks.exe
4220	schtasks.exe
3116	schtasks.exe
4104	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

fontreview.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\System\\Ole DB\\de-DE\\OfficeClickToRun.exe\", \"C:\\Windows\\Sun\\Java\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ServiceProfiles\\NetworkService\\Saved Games\\upfc.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\SearchApp.exe\", \"C:\\Users\\All Users\\regid.1991-06.com.microsoft\\unsecapp.exe\", \"C:\\Windows\\ShellExperiences\\Idle.exe\", \"C:\\Program Files (x86)\\Windows NT\\wininit.exe\""	fontreview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\System\\Ole DB\\de-DE\\OfficeClickToRun.exe\", \"C:\\Windows\\Sun\\Java\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ServiceProfiles\\NetworkService\\Saved Games\\upfc.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\SearchApp.exe\", \"C:\\Users\\All Users\\regid.1991-06.com.microsoft\\unsecapp.exe\", \"C:\\Windows\\ShellExperiences\\Idle.exe\", \"C:\\Program Files (x86)\\Windows NT\\wininit.exe\", \"C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Users\\Public\\Desktop\\System.exe\""	fontreview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\System\\Ole DB\\de-DE\\OfficeClickToRun.exe\", \"C:\\Windows\\Sun\\Java\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ServiceProfiles\\NetworkService\\Saved Games\\upfc.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\SearchApp.exe\", \"C:\\Users\\All Users\\regid.1991-06.com.microsoft\\unsecapp.exe\", \"C:\\Windows\\ShellExperiences\\Idle.exe\""	fontreview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\System\\Ole DB\\de-DE\\OfficeClickToRun.exe\", \"C:\\Windows\\Sun\\Java\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ServiceProfiles\\NetworkService\\Saved Games\\upfc.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\SearchApp.exe\", \"C:\\Users\\All Users\\regid.1991-06.com.microsoft\\unsecapp.exe\", \"C:\\Windows\\ShellExperiences\\Idle.exe\", \"C:\\Program Files (x86)\\Windows NT\\wininit.exe\", \"C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\RuntimeBroker.exe\""	fontreview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\System\\Ole DB\\de-DE\\OfficeClickToRun.exe\", \"C:\\Windows\\Sun\\Java\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ServiceProfiles\\NetworkService\\Saved Games\\upfc.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\SearchApp.exe\", \"C:\\Users\\All Users\\regid.1991-06.com.microsoft\\unsecapp.exe\", \"C:\\Windows\\ShellExperiences\\Idle.exe\", \"C:\\Program Files (x86)\\Windows NT\\wininit.exe\", \"C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\""	fontreview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\System\\Ole DB\\de-DE\\OfficeClickToRun.exe\""	fontreview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\System\\Ole DB\\de-DE\\OfficeClickToRun.exe\", \"C:\\Windows\\Sun\\Java\\StartMenuExperienceHost.exe\""	fontreview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\System\\Ole DB\\de-DE\\OfficeClickToRun.exe\", \"C:\\Windows\\Sun\\Java\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ServiceProfiles\\NetworkService\\Saved Games\\upfc.exe\""	fontreview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\System\\Ole DB\\de-DE\\OfficeClickToRun.exe\", \"C:\\Windows\\Sun\\Java\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ServiceProfiles\\NetworkService\\Saved Games\\upfc.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\SearchApp.exe\""	fontreview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\System\\Ole DB\\de-DE\\OfficeClickToRun.exe\", \"C:\\Windows\\Sun\\Java\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ServiceProfiles\\NetworkService\\Saved Games\\upfc.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\SearchApp.exe\", \"C:\\Users\\All Users\\regid.1991-06.com.microsoft\\unsecapp.exe\""	fontreview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\System\\Ole DB\\de-DE\\OfficeClickToRun.exe\", \"C:\\Windows\\Sun\\Java\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ServiceProfiles\\NetworkService\\Saved Games\\upfc.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\SearchApp.exe\", \"C:\\Users\\All Users\\regid.1991-06.com.microsoft\\unsecapp.exe\", \"C:\\Windows\\ShellExperiences\\Idle.exe\", \"C:\\Program Files (x86)\\Windows NT\\wininit.exe\", \"C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Users\\Public\\Desktop\\System.exe\", \"C:\\Windows\\Registration\\CRMLog\\Idle.exe\""	fontreview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\System\\Ole DB\\de-DE\\OfficeClickToRun.exe\", \"C:\\Windows\\Sun\\Java\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ServiceProfiles\\NetworkService\\Saved Games\\upfc.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\SearchApp.exe\", \"C:\\Users\\All Users\\regid.1991-06.com.microsoft\\unsecapp.exe\", \"C:\\Windows\\ShellExperiences\\Idle.exe\", \"C:\\Program Files (x86)\\Windows NT\\wininit.exe\", \"C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Users\\Public\\Desktop\\System.exe\", \"C:\\Windows\\Registration\\CRMLog\\Idle.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\fontdrvhost.exe\""	fontreview.exe

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3196	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3684	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4220	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4024	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3836	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3380	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4064	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4068	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3320	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	2060	schtasks.exe

UAC bypass 3 TTPs 9 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

unsecapp.exefontreview.exeunsecapp.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Media\fontreview.exe	dcrat
behavioral2/memory/4072-17-0x0000000000A90000-0x0000000000DDA000-memory.dmp	dcrat
C:\Program Files\Common Files\System\Ole DB\de-DE\OfficeClickToRun.exe	dcrat
C:\Windows\ServiceProfiles\NetworkService\Saved Games\upfc.exe	dcrat
C:\Program Files\Windows NT\Accessories\SearchApp.exe	dcrat
C:\ProgramData\regid.1991-06.com.microsoft\RCX9CA9.tmp	dcrat
C:\Recovery\WindowsRE\RCXA72F.tmp	dcrat
C:\Users\Public\Desktop\System.exe	dcrat
C:\Program Files\Windows Sidebar\Shared Gadgets\fontdrvhost.exe	dcrat

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Crack.exeWScript.exefontreview.exeunsecapp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Crack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	fontreview.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	unsecapp.exe

Executes dropped EXE 3 IoCs

Processes:

fontreview.exeunsecapp.exeunsecapp.exe

pid process

4072 fontreview.exe
1640 unsecapp.exe
3864 unsecapp.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fontreview.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\System\\Ole DB\\de-DE\\OfficeClickToRun.exe\""	fontreview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\Sun\\Java\\StartMenuExperienceHost.exe\""	fontreview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\Sun\\Java\\StartMenuExperienceHost.exe\""	fontreview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files\\Windows NT\\Accessories\\SearchApp.exe\""	fontreview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\ShellExperiences\\Idle.exe\""	fontreview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Windows NT\\wininit.exe\""	fontreview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Recovery\\WindowsRE\\sihost.exe\""	fontreview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Recovery\\WindowsRE\\sihost.exe\""	fontreview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Registration\\CRMLog\\Idle.exe\""	fontreview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\fontdrvhost.exe\""	fontreview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\System\\Ole DB\\de-DE\\OfficeClickToRun.exe\""	fontreview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\RuntimeBroker.exe\""	fontreview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Public\\Desktop\\System.exe\""	fontreview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Public\\Desktop\\System.exe\""	fontreview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Registration\\CRMLog\\Idle.exe\""	fontreview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\fontdrvhost.exe\""	fontreview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Windows\\ServiceProfiles\\NetworkService\\Saved Games\\upfc.exe\""	fontreview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files\\Windows NT\\Accessories\\SearchApp.exe\""	fontreview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\All Users\\regid.1991-06.com.microsoft\\unsecapp.exe\""	fontreview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\All Users\\regid.1991-06.com.microsoft\\unsecapp.exe\""	fontreview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\RuntimeBroker.exe\""	fontreview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Windows\\ServiceProfiles\\NetworkService\\Saved Games\\upfc.exe\""	fontreview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\ShellExperiences\\Idle.exe\""	fontreview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Windows NT\\wininit.exe\""	fontreview.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

fontreview.exeunsecapp.exeunsecapp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontreview.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ip-api.com
11 ip-api.com
15 ip-api.com

flow	ioc
3	ip-api.com
11	ip-api.com
15	ip-api.com

Drops file in Program Files directory 20 IoCs

Processes:

fontreview.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Windows NT\RCXA1AD.tmp	fontreview.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\fontdrvhost.exe	fontreview.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\e6c9b481da804f	fontreview.exe
File created	C:\Program Files (x86)\Windows NT\wininit.exe	fontreview.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\RCX99E7.tmp	fontreview.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\SearchApp.exe	fontreview.exe
File opened for modification	C:\Program Files (x86)\Windows NT\wininit.exe	fontreview.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\RCXAE1B.tmp	fontreview.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\OfficeClickToRun.exe	fontreview.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\de-DE\OfficeClickToRun.exe	fontreview.exe
File created	C:\Program Files (x86)\Windows NT\56085415360792	fontreview.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\5b884080fd4f94	fontreview.exe
File created	C:\Program Files\Windows NT\Accessories\SearchApp.exe	fontreview.exe
File created	C:\Program Files\Windows NT\Accessories\38384e6a620884	fontreview.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\fontdrvhost.exe	fontreview.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\de-DE\RCX926F.tmp	fontreview.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\de-DE\RCX91C2.tmp	fontreview.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\RCX991B.tmp	fontreview.exe
File opened for modification	C:\Program Files (x86)\Windows NT\RCXA22B.tmp	fontreview.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\RCXAE99.tmp	fontreview.exe

Drops file in Windows directory 22 IoCs

Processes:

fontreview.exe

description	ioc	process
File created	C:\Windows\Sun\Java\StartMenuExperienceHost.exe	fontreview.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Saved Games\ea1d8f6d871115	fontreview.exe
File created	C:\Windows\ServiceState\EventLog\Data\sihost.exe	fontreview.exe
File opened for modification	C:\Windows\Sun\Java\StartMenuExperienceHost.exe	fontreview.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\Saved Games\RCX9717.tmp	fontreview.exe
File created	C:\Windows\ShellExperiences\Idle.exe	fontreview.exe
File created	C:\Windows\Registration\CRMLog\6ccacd8608530f	fontreview.exe
File opened for modification	C:\Windows\Sun\Java\RCX9483.tmp	fontreview.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\Saved Games\RCX9699.tmp	fontreview.exe
File opened for modification	C:\Windows\ShellExperiences\RCX9EAD.tmp	fontreview.exe
File opened for modification	C:\Windows\ShellExperiences\RCX9F2B.tmp	fontreview.exe
File opened for modification	C:\Windows\ShellExperiences\Idle.exe	fontreview.exe
File opened for modification	C:\Windows\Registration\CRMLog\RCXABD8.tmp	fontreview.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Saved Games\upfc.exe	fontreview.exe
File created	C:\Windows\diagnostics\system\WindowsUpdate\es-ES\cmd.exe	fontreview.exe
File opened for modification	C:\Windows\Sun\Java\RCX9484.tmp	fontreview.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\Saved Games\upfc.exe	fontreview.exe
File opened for modification	C:\Windows\Registration\CRMLog\RCXABC7.tmp	fontreview.exe
File created	C:\Windows\Sun\Java\55b276f4edf653	fontreview.exe
File created	C:\Windows\ShellExperiences\6ccacd8608530f	fontreview.exe
File created	C:\Windows\Registration\CRMLog\Idle.exe	fontreview.exe
File opened for modification	C:\Windows\Registration\CRMLog\Idle.exe	fontreview.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

Processes:

Crack.exefontreview.exeunsecapp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	Crack.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	fontreview.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	unsecapp.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
1504	schtasks.exe
2740	schtasks.exe
4580	schtasks.exe
2172	schtasks.exe
1180	schtasks.exe
3976	schtasks.exe
4928	schtasks.exe
2668	schtasks.exe
1124	schtasks.exe
3380	schtasks.exe
4068	schtasks.exe
3028	schtasks.exe
3196	schtasks.exe
1344	schtasks.exe
3836	schtasks.exe
4064	schtasks.exe
1044	schtasks.exe
452	schtasks.exe
744	schtasks.exe
4104	schtasks.exe
1512	schtasks.exe
2388	schtasks.exe
3320	schtasks.exe
1000	schtasks.exe
3684	schtasks.exe
548	schtasks.exe
924	schtasks.exe
2832	schtasks.exe
3128	schtasks.exe
5052	schtasks.exe
4524	schtasks.exe
3116	schtasks.exe
1216	schtasks.exe
4220	schtasks.exe
764	schtasks.exe
4024	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fontreview.exeunsecapp.exe

pid	process
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
4072	fontreview.exe
1640	unsecapp.exe
1640	unsecapp.exe
1640	unsecapp.exe
1640	unsecapp.exe
1640	unsecapp.exe
1640	unsecapp.exe
1640	unsecapp.exe
1640	unsecapp.exe
1640	unsecapp.exe
1640	unsecapp.exe
1640	unsecapp.exe
1640	unsecapp.exe
1640	unsecapp.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

fontreview.exeunsecapp.exeunsecapp.exe

description pid process

Token: SeDebugPrivilege 4072 fontreview.exe
Token: SeDebugPrivilege 1640 unsecapp.exe
Token: SeDebugPrivilege 3864 unsecapp.exe

description	pid	process
Token: SeDebugPrivilege	4072	fontreview.exe
Token: SeDebugPrivilege	1640	unsecapp.exe
Token: SeDebugPrivilege	3864	unsecapp.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

Crack.exeWScript.execmd.exefontreview.execmd.exeunsecapp.exeWScript.exe

description	pid	process	target process
PID 2504 wrote to memory of 2428	2504	Crack.exe	WScript.exe
PID 2504 wrote to memory of 2428	2504	Crack.exe	WScript.exe
PID 2504 wrote to memory of 2428	2504	Crack.exe	WScript.exe
PID 2504 wrote to memory of 2680	2504	Crack.exe	WScript.exe
PID 2504 wrote to memory of 2680	2504	Crack.exe	WScript.exe
PID 2504 wrote to memory of 2680	2504	Crack.exe	WScript.exe
PID 2428 wrote to memory of 116	2428	WScript.exe	cmd.exe
PID 2428 wrote to memory of 116	2428	WScript.exe	cmd.exe
PID 2428 wrote to memory of 116	2428	WScript.exe	cmd.exe
PID 116 wrote to memory of 4072	116	cmd.exe	fontreview.exe
PID 116 wrote to memory of 4072	116	cmd.exe	fontreview.exe
PID 4072 wrote to memory of 1224	4072	fontreview.exe	cmd.exe
PID 4072 wrote to memory of 1224	4072	fontreview.exe	cmd.exe
PID 1224 wrote to memory of 4488	1224	cmd.exe	w32tm.exe
PID 1224 wrote to memory of 4488	1224	cmd.exe	w32tm.exe
PID 1224 wrote to memory of 1640	1224	cmd.exe	unsecapp.exe
PID 1224 wrote to memory of 1640	1224	cmd.exe	unsecapp.exe
PID 1640 wrote to memory of 4068	1640	unsecapp.exe	WScript.exe
PID 1640 wrote to memory of 4068	1640	unsecapp.exe	WScript.exe
PID 1640 wrote to memory of 4972	1640	unsecapp.exe	WScript.exe
PID 1640 wrote to memory of 4972	1640	unsecapp.exe	WScript.exe
PID 4068 wrote to memory of 3864	4068	WScript.exe	unsecapp.exe
PID 4068 wrote to memory of 3864	4068	WScript.exe	unsecapp.exe

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

Processes:

fontreview.exeunsecapp.exeunsecapp.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Crack.exe
"C:\Users\Admin\AppData\Local\Temp\Crack.exe"
1⤵
- DcRat
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Media\ptTa5jsNCfUXu0BBuzB.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Media\r8iyEc3qvUngPTm4Ix.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:116

C:\Users\Admin\AppData\Roaming\Media\fontreview.exe
"C:\Users\Admin\AppData\Roaming\Media\fontreview.exe"
4⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4072

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\G24FLdsK8l.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:4488

C:\Users\All Users\regid.1991-06.com.microsoft\unsecapp.exe
"C:\Users\All Users\regid.1991-06.com.microsoft\unsecapp.exe"
6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1640

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a59241bc-822b-4b95-912a-9f04941ea744.vbs"
7⤵
- Suspicious use of WriteProcessMemory
PID:4068

C:\Users\All Users\regid.1991-06.com.microsoft\unsecapp.exe
"C:\Users\All Users\regid.1991-06.com.microsoft\unsecapp.exe"
8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3864

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9e51f16-d1ed-409d-bafd-2b4d6e15f184.vbs"
7⤵
PID:4972

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Media\file.vbs"
2⤵
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\System\Ole DB\de-DE\OfficeClickToRun.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\Ole DB\de-DE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\System\Ole DB\de-DE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Windows\Sun\Java\StartMenuExperienceHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\Sun\Java\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Windows\Sun\Java\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Windows\ServiceProfiles\NetworkService\Saved Games\upfc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\NetworkService\Saved Games\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Windows\ServiceProfiles\NetworkService\Saved Games\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\SearchApp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\unsecapp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\ShellExperiences\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\ShellExperiences\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\LocalLow\Microsoft\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\AppData\LocalLow\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\LocalLow\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Desktop\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\Registration\CRMLog\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\Registration\CRMLog\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:452

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\Ole DB\de-DE\OfficeClickToRun.exe
Filesize
3.3MB

MD5
39b8f5599ffcbce2988f92a12a8a4b4e

SHA1
4325afcc7824b8e6a167386ee000131e4a47c886

SHA256
2ce801bb4a6bb59df4f133dad8bacca7aea3cce628a2a8f3dcb8268c025aa9fb

SHA512
c6e80b17eaecfe62cd6acc0d2734d65ce7468c1003663c8bda97f8a0271492b96d9aa8c088d91dfd50c7503812cf009ca00fc8e02ba786604312fa95d0b607b1

Download Submit
C:\Program Files\Windows NT\Accessories\SearchApp.exe
Filesize
3.3MB

MD5
db6d1d3cc48ab2ca37103676bb2f5588

SHA1
66e13c5ea75ffc8ee871fb0a711d416f072a9989

SHA256
ef3c4710de99aab33cf5a46d51a1c05c6ce471636b47d85da3894ccc7dbf7545

SHA512
282fc3a5fb6c2a4ca2ce57865023f846c2566bac8e67f393a5e14671c8a28b9d45045ca20a03e581bd6e6ee906e9dd7169c9c4f22953f059fb7e5504a356e170

Download Submit
C:\Program Files\Windows Sidebar\Shared Gadgets\fontdrvhost.exe
Filesize
3.3MB

MD5
ef49fd829b2ce0bf5c16816c33591aef

SHA1
05bef0b4a0a752e867e3c370e58da3a19682bfbb

SHA256
b1fe486c719ee020c4f9609e6dfeabbdc20f7d94a2b62524caacd9708b927726

SHA512
96e8875dc640c220a47680ac62e198fe008e49336e5642612efa42a76c52905e3dbb05f8d0a13bb1897c369f6f3bb613516420d2bf523700609d40a6346e8b84

Download Submit
C:\ProgramData\regid.1991-06.com.microsoft\RCX9CA9.tmp
Filesize
3.3MB

MD5
553b95b8cf4fc79cf8731c931dc80b5b

SHA1
3b61ea6d4d25355cd3b0bbf4f8db66aa335a73dd

SHA256
e04e0c0b8d9adb45df5e4f016e961ed055feed1bed4c73060427a6687fc01c35

SHA512
27d2d52d2cdd6eb4cf6480b9d5999368a14b159d82219777df34527bdeb428a15b1f62ae806e8a8bd2499aad6262a5a558a42ddc3bfd68532c5a9ae60ad6612e

Download Submit
C:\Recovery\WindowsRE\RCXA72F.tmp
Filesize
3.3MB

MD5
1ffd7b0639844f51c346e36d4eeef10f

SHA1
9e70ca5d1a1588f94411040fd46dfa4330892f90

SHA256
b32cfbb4341b8d566bb7464a6f723db22fcb42f23415ec044f835e45106b03f5

SHA512
ee084a8aca9b3a0a7d84a10dca795ed30f4d95c4fc65d1d75410a10f7decf1ba947df9861b602de246f89904a5d1482bfb4b39c658798fb12995f29597bdcd28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\unsecapp.exe.log
Filesize
1KB

MD5
49b64127208271d8f797256057d0b006

SHA1
b99bd7e2b4e9ed24de47fb3341ea67660b84cca1

SHA256
2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77

SHA512
f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\G24FLdsK8l.bat
Filesize
224B

MD5
1266022d93d2a0ef31c8d9be922429a2

SHA1
00ddeaa9d4429c46de40f6dabe4ede661e70aafb

SHA256
3d54d13b7aa032b7015ed180a879c4e1d692f927eb70d54741e56b3453463e9b

SHA512
6e089d66f84f7bfa957a4bed5751e2ae2f12aea6f11beebd3ab125cbcf72c79998c1720ee185e3cb5411fe6b84f0777e9f34c20571d4cee7d3e0ff1a9f695e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\a59241bc-822b-4b95-912a-9f04941ea744.vbs
Filesize
735B

MD5
493e5dadd2ae3c4496143986abfbfdf6

SHA1
79c31336c7288fdf0ec1baab70b97a2fa54306f4

SHA256
e1146b1039ea1ec9b985db39be7a15c847e679b84c52f4344010056db2f7d67c

SHA512
15f390ff2c74d48845e1393a62d64dcb40d6f04b55464558f057082686cc153de0423687f4f3a2cd09c41ece243a470da9f6a9494bfd70c7b3166d3f82211dd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\c9e51f16-d1ed-409d-bafd-2b4d6e15f184.vbs
Filesize
511B

MD5
290a51dbbb09d0b3f7b0043291795e75

SHA1
c6f43da4a9440adf3b86efc98001b2f7a30ca65f

SHA256
b2b00dade99070fa03f6acfa9236fba9fa2a715623f8ceb22c23a294a16ed344

SHA512
59ceb761a7647dd6a9720dd2346f7e801ed518ed996a0a32e59d7f513e036625ee1e58a32f57c193f1e345d1ec547d2b233360d325d68a6f76b99bfd92dc82ea

Download Submit
C:\Users\Admin\AppData\Roaming\Media\file.vbs
Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\Users\Admin\AppData\Roaming\Media\fontreview.exe
Filesize
3.3MB

MD5
ee603f48c1f35659899993e21fd33d8f

SHA1
86ee8bd079b178b31df3522c08a040aac575a6c6

SHA256
f76ce5581a109be6e0d8358e0dc15a8dea066cb27256628a315e6edd94264b0c

SHA512
02ea39ee7d7cd30a588846d3da89ed89b8a4f322b1a58db1753633fd20d9066d2921bfe5685322f79c76d6466190fd34b8555f14363ed2607f759d64c254b0d8

Download Submit
C:\Users\Admin\AppData\Roaming\Media\ptTa5jsNCfUXu0BBuzB.vbe
Filesize
204B

MD5
022c5590f72d752d578df8eb3f03d355

SHA1
9519d3ea40324448e06863b196dd23e7d4a12dac

SHA256
8c2161c0de7a3e07e53766e6e267fe23f98c2cdeef31220eaa68be1bf48e0eb7

SHA512
269369042c72fc985823e7938cd8635bf85f9c59e07a3065742321d7639c3a7865b807470ffb4efabb5573ecb1413463c0d270a6aa309786905286b6ad6db01a

Download Submit
C:\Users\Admin\AppData\Roaming\Media\r8iyEc3qvUngPTm4Ix.bat
Filesize
32B

MD5
c1ba58455a6a3970b127d9a7e1314cf0

SHA1
9855d4f713ba963f0976df6d5e1616d471265b70

SHA256
f1fc9c92abe5e1a915c0f3dfdbe9df00bc60a6163025574a33c1e48a8ae9eefb

SHA512
56a782da20e4e5e4233a530e32f564e94dfd4cb0643b7a63d07d6f3f4ef51ae0cbf0cff21cc9472b5ff0774afc753151a3da40871d1559ccd340307dfc9edd0c

Download Submit
C:\Users\Public\Desktop\System.exe
Filesize
3.3MB

MD5
6f236e72eb712411c0ec01ba3322d62e

SHA1
02af8f7c7b6e48a01387dec2f251ff1af1e2be14

SHA256
aafd0ee795eaf5c7cce9a301858be172c95eabea04241fd282cc35fb9ad4af41

SHA512
69b9f6bf22c284c8c6861ce5c7cc458ff3e206cf11fca284b2172906c745f1a0f5a6ed7374d9bfef3c2d6dc43b588766510d741be57155fa3c9abc5e9925f84e

Download Submit
C:\Windows\ServiceProfiles\NetworkService\Saved Games\upfc.exe
Filesize
3.3MB

MD5
33e3cb5ead21f4bd0bab424c617c71a3

SHA1
7821e5a3b1d859339a1c06094613e43ef61349b2

SHA256
a65e712336fbe72b5ae4d002fd7bb758648ce534332702ea1dd830f16c78cc1c

SHA512
8fa8a6661efc69404262da4c9f1728b59b0cad754a20078336ea886131299111cfe3f34d72388a02405814133c31c9ad1fc9d821bc1e704a4eaa6da9f6981273

Download Submit
memory/1640-225-0x000000001BE80000-0x000000001BE92000-memory.dmp

Filesize
72KB

Download
memory/4072-39-0x000000001C830000-0x000000001C83C000-memory.dmp

Filesize
48KB

Download
memory/4072-50-0x000000001CAA0000-0x000000001CAA8000-memory.dmp

Filesize
32KB

Download
memory/4072-31-0x000000001C780000-0x000000001C7D6000-memory.dmp

Filesize
344KB

Download
memory/4072-32-0x000000001C7D0000-0x000000001C7DC000-memory.dmp

Filesize
48KB

Download
memory/4072-33-0x000000001C7E0000-0x000000001C7E8000-memory.dmp

Filesize
32KB

Download
memory/4072-34-0x000000001C7F0000-0x000000001C7FC000-memory.dmp

Filesize
48KB

Download
memory/4072-35-0x000000001C800000-0x000000001C808000-memory.dmp

Filesize
32KB

Download
memory/4072-36-0x000000001C810000-0x000000001C822000-memory.dmp

Filesize
72KB

Download
memory/4072-37-0x000000001CD50000-0x000000001D278000-memory.dmp

Filesize
5.2MB

Download
memory/4072-38-0x000000001C820000-0x000000001C82C000-memory.dmp

Filesize
48KB

Download
memory/4072-29-0x000000001C760000-0x000000001C770000-memory.dmp

Filesize
64KB

Download
memory/4072-42-0x000000001C860000-0x000000001C86C000-memory.dmp

Filesize
48KB

Download
memory/4072-41-0x000000001C850000-0x000000001C85C000-memory.dmp

Filesize
48KB

Download
memory/4072-40-0x000000001C840000-0x000000001C848000-memory.dmp

Filesize
32KB

Download
memory/4072-43-0x000000001CAE0000-0x000000001CAE8000-memory.dmp

Filesize
32KB

Download
memory/4072-49-0x000000001CB10000-0x000000001CB1C000-memory.dmp

Filesize
48KB

Download
memory/4072-48-0x000000001CB00000-0x000000001CB08000-memory.dmp

Filesize
32KB

Download
memory/4072-30-0x000000001C770000-0x000000001C77A000-memory.dmp

Filesize
40KB

Download
memory/4072-51-0x000000001CAB0000-0x000000001CABA000-memory.dmp

Filesize
40KB

Download
memory/4072-47-0x000000001CAF0000-0x000000001CAF8000-memory.dmp

Filesize
32KB

Download
memory/4072-46-0x000000001C990000-0x000000001C99E000-memory.dmp

Filesize
56KB

Download
memory/4072-45-0x000000001C980000-0x000000001C98A000-memory.dmp

Filesize
40KB

Download
memory/4072-44-0x000000001C970000-0x000000001C97C000-memory.dmp

Filesize
48KB

Download
memory/4072-52-0x000000001CAC0000-0x000000001CACC000-memory.dmp

Filesize
48KB

Download
memory/4072-28-0x000000001C5E0000-0x000000001C5E8000-memory.dmp

Filesize
32KB

Download
memory/4072-27-0x000000001C5F0000-0x000000001C5FC000-memory.dmp

Filesize
48KB

Download
memory/4072-23-0x0000000003120000-0x0000000003130000-memory.dmp

Filesize
64KB

Download
memory/4072-26-0x000000001C600000-0x000000001C612000-memory.dmp

Filesize
72KB

Download
memory/4072-25-0x000000001BA40000-0x000000001BA48000-memory.dmp

Filesize
32KB

Download
memory/4072-24-0x000000001C5C0000-0x000000001C5D6000-memory.dmp

Filesize
88KB

Download
memory/4072-22-0x00000000030F0000-0x00000000030F8000-memory.dmp

Filesize
32KB

Download
memory/4072-21-0x000000001C610000-0x000000001C660000-memory.dmp

Filesize
320KB

Download
memory/4072-20-0x00000000030D0000-0x00000000030EC000-memory.dmp

Filesize
112KB

Download
memory/4072-19-0x00000000030C0000-0x00000000030C8000-memory.dmp

Filesize
32KB

Download
memory/4072-18-0x0000000003110000-0x000000000311E000-memory.dmp

Filesize
56KB

Download
memory/4072-17-0x0000000000A90000-0x0000000000DDA000-memory.dmp

Filesize
3.3MB

Download