dcrat | 94263aa0a3b9de301c6fea69b4d211662829b23a80020b80879f37e6ff6bd6f0

Resubmissions

24-09-2022 20:40

220924-zf4hradccr 10

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-09-2022 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b26eab73b57842b1b5c439df38324e9.exe
Size

2.6MB
MD5

0b26eab73b57842b1b5c439df38324e9
SHA1

42633109f529b2dad7532b349c32c5d5f867ecf9
SHA256

94263aa0a3b9de301c6fea69b4d211662829b23a80020b80879f37e6ff6bd6f0
SHA512

e653f61dfce5e156a9135ec34cca1f3765192e22ec80f5f43c49e5140681b5e514896c2720e048245088d15ceecb95e11625deff6355ed7db6c26ae7f0e6d7e7
SSDEEP

49152:npTn80rAHkSrvT7yEBpojAGw3fo+5D0gRbfGNW8UlbSpDCP2XF:nZpktrvTOqp2Nw3L0gRbfGI8sepeu1

Score

10^/10

dcrat evasion infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	3572	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	3572	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	3572	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	3572	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4236	3572	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	3572	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	3572	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	3572	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	3572	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	3572	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	3572	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4376	3572	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	3572	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	3572	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	3572	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	3572	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	3572	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	3572	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	3572	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	3572	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	3572	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	3572	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	3572	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	3572	schtasks.exe	37

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0b26eab73b57842b1b5c439df38324e9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0b26eab73b57842b1b5c439df38324e9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0b26eab73b57842b1b5c439df38324e9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1932-132-0x00000000002E0000-0x0000000000584000-memory.dmp	dcrat
behavioral2/files/0x0007000000022e76-156.dat	dcrat
behavioral2/files/0x0007000000022e76-155.dat	dcrat
behavioral2/memory/3844-158-0x00000000003F0000-0x0000000000694000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
3844	SppExtComObj.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	0b26eab73b57842b1b5c439df38324e9.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0b26eab73b57842b1b5c439df38324e9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0b26eab73b57842b1b5c439df38324e9.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	ipinfo.io
18	ipinfo.io

Drops file in Windows directory 20 IoCs

description	ioc	Process
File created	C:\Windows\tracing\ea1d8f6d871115	0b26eab73b57842b1b5c439df38324e9.exe
File created	C:\Windows\Microsoft.NET\Framework\1040\dllhost.exe	0b26eab73b57842b1b5c439df38324e9.exe
File created	C:\Windows\Cursors\e1ef82546f0b02	0b26eab73b57842b1b5c439df38324e9.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\1040\dllhost.exe	0b26eab73b57842b1b5c439df38324e9.exe
File opened for modification	C:\Windows\Cursors\SppExtComObj.exe	0b26eab73b57842b1b5c439df38324e9.exe
File created	C:\Windows\Microsoft.NET\Framework\1040\5940a34987c991	0b26eab73b57842b1b5c439df38324e9.exe
File opened for modification	C:\Windows\Cursors\RCX8D1F.tmp	0b26eab73b57842b1b5c439df38324e9.exe
File opened for modification	C:\Windows\tracing\StartMenuExperienceHost.exe	0b26eab73b57842b1b5c439df38324e9.exe
File created	C:\Windows\tracing\55b276f4edf653	0b26eab73b57842b1b5c439df38324e9.exe
File opened for modification	C:\Windows\tracing\RCX7FD7.tmp	0b26eab73b57842b1b5c439df38324e9.exe
File opened for modification	C:\Windows\tracing\RCX8065.tmp	0b26eab73b57842b1b5c439df38324e9.exe
File opened for modification	C:\Windows\tracing\upfc.exe	0b26eab73b57842b1b5c439df38324e9.exe
File opened for modification	C:\Windows\Cursors\RCX8C53.tmp	0b26eab73b57842b1b5c439df38324e9.exe
File opened for modification	C:\Windows\tracing\RCX903E.tmp	0b26eab73b57842b1b5c439df38324e9.exe
File created	C:\Windows\tracing\upfc.exe	0b26eab73b57842b1b5c439df38324e9.exe
File created	C:\Windows\Cursors\SppExtComObj.exe	0b26eab73b57842b1b5c439df38324e9.exe
File created	C:\Windows\tracing\StartMenuExperienceHost.exe	0b26eab73b57842b1b5c439df38324e9.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\1040\RCX8934.tmp	0b26eab73b57842b1b5c439df38324e9.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\1040\RCX89C2.tmp	0b26eab73b57842b1b5c439df38324e9.exe
File opened for modification	C:\Windows\tracing\RCX8FB0.tmp	0b26eab73b57842b1b5c439df38324e9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3540	schtasks.exe
1712	schtasks.exe
1344	schtasks.exe
4756	schtasks.exe
4436	schtasks.exe
1632	schtasks.exe
4236	schtasks.exe
4376	schtasks.exe
4452	schtasks.exe
208	schtasks.exe
4140	schtasks.exe
4632	schtasks.exe
1008	schtasks.exe
1284	schtasks.exe
2064	schtasks.exe
4408	schtasks.exe
2140	schtasks.exe
4896	schtasks.exe
4472	schtasks.exe
1296	schtasks.exe
1096	schtasks.exe
1960	schtasks.exe
2372	schtasks.exe
4904	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	0b26eab73b57842b1b5c439df38324e9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1932	0b26eab73b57842b1b5c439df38324e9.exe
1932	0b26eab73b57842b1b5c439df38324e9.exe
1932	0b26eab73b57842b1b5c439df38324e9.exe
1932	0b26eab73b57842b1b5c439df38324e9.exe
1932	0b26eab73b57842b1b5c439df38324e9.exe
1932	0b26eab73b57842b1b5c439df38324e9.exe
1932	0b26eab73b57842b1b5c439df38324e9.exe
1932	0b26eab73b57842b1b5c439df38324e9.exe
1932	0b26eab73b57842b1b5c439df38324e9.exe
1932	0b26eab73b57842b1b5c439df38324e9.exe
1932	0b26eab73b57842b1b5c439df38324e9.exe
1932	0b26eab73b57842b1b5c439df38324e9.exe
1932	0b26eab73b57842b1b5c439df38324e9.exe
1932	0b26eab73b57842b1b5c439df38324e9.exe
1932	0b26eab73b57842b1b5c439df38324e9.exe
1932	0b26eab73b57842b1b5c439df38324e9.exe
1932	0b26eab73b57842b1b5c439df38324e9.exe
1932	0b26eab73b57842b1b5c439df38324e9.exe
1932	0b26eab73b57842b1b5c439df38324e9.exe
1932	0b26eab73b57842b1b5c439df38324e9.exe
1932	0b26eab73b57842b1b5c439df38324e9.exe
1932	0b26eab73b57842b1b5c439df38324e9.exe
1932	0b26eab73b57842b1b5c439df38324e9.exe
1932	0b26eab73b57842b1b5c439df38324e9.exe
1932	0b26eab73b57842b1b5c439df38324e9.exe
1932	0b26eab73b57842b1b5c439df38324e9.exe
1932	0b26eab73b57842b1b5c439df38324e9.exe
1932	0b26eab73b57842b1b5c439df38324e9.exe
1932	0b26eab73b57842b1b5c439df38324e9.exe
1932	0b26eab73b57842b1b5c439df38324e9.exe
1932	0b26eab73b57842b1b5c439df38324e9.exe
1932	0b26eab73b57842b1b5c439df38324e9.exe
1932	0b26eab73b57842b1b5c439df38324e9.exe
1932	0b26eab73b57842b1b5c439df38324e9.exe
1932	0b26eab73b57842b1b5c439df38324e9.exe
1932	0b26eab73b57842b1b5c439df38324e9.exe
1932	0b26eab73b57842b1b5c439df38324e9.exe
1932	0b26eab73b57842b1b5c439df38324e9.exe
1932	0b26eab73b57842b1b5c439df38324e9.exe
1932	0b26eab73b57842b1b5c439df38324e9.exe
1932	0b26eab73b57842b1b5c439df38324e9.exe
5084	powershell.exe
5084	powershell.exe
1932	0b26eab73b57842b1b5c439df38324e9.exe
1932	0b26eab73b57842b1b5c439df38324e9.exe
2368	powershell.exe
2368	powershell.exe
2664	powershell.exe
2664	powershell.exe
4428	powershell.exe
4428	powershell.exe
1892	powershell.exe
1892	powershell.exe
2104	powershell.exe
2104	powershell.exe
1932	0b26eab73b57842b1b5c439df38324e9.exe
2680	powershell.exe
2680	powershell.exe
1832	powershell.exe
1832	powershell.exe
4600	powershell.exe
4600	powershell.exe
4428	powershell.exe
2104	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3844	SppExtComObj.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1932	0b26eab73b57842b1b5c439df38324e9.exe
Token: SeDebugPrivilege	5084	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	4428	powershell.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	4600	powershell.exe
Token: SeDebugPrivilege	3844	SppExtComObj.exe
Token: SeBackupPrivilege	4468	vssvc.exe
Token: SeRestorePrivilege	4468	vssvc.exe
Token: SeAuditPrivilege	4468	vssvc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3844	SppExtComObj.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 2680	1932	0b26eab73b57842b1b5c439df38324e9.exe	109
PID 1932 wrote to memory of 2680	1932	0b26eab73b57842b1b5c439df38324e9.exe	109
PID 1932 wrote to memory of 2368	1932	0b26eab73b57842b1b5c439df38324e9.exe	110
PID 1932 wrote to memory of 2368	1932	0b26eab73b57842b1b5c439df38324e9.exe	110
PID 1932 wrote to memory of 5084	1932	0b26eab73b57842b1b5c439df38324e9.exe	112
PID 1932 wrote to memory of 5084	1932	0b26eab73b57842b1b5c439df38324e9.exe	112
PID 1932 wrote to memory of 1832	1932	0b26eab73b57842b1b5c439df38324e9.exe	113
PID 1932 wrote to memory of 1832	1932	0b26eab73b57842b1b5c439df38324e9.exe	113
PID 1932 wrote to memory of 2664	1932	0b26eab73b57842b1b5c439df38324e9.exe	114
PID 1932 wrote to memory of 2664	1932	0b26eab73b57842b1b5c439df38324e9.exe	114
PID 1932 wrote to memory of 4600	1932	0b26eab73b57842b1b5c439df38324e9.exe	122
PID 1932 wrote to memory of 4600	1932	0b26eab73b57842b1b5c439df38324e9.exe	122
PID 1932 wrote to memory of 4428	1932	0b26eab73b57842b1b5c439df38324e9.exe	116
PID 1932 wrote to memory of 4428	1932	0b26eab73b57842b1b5c439df38324e9.exe	116
PID 1932 wrote to memory of 2104	1932	0b26eab73b57842b1b5c439df38324e9.exe	117
PID 1932 wrote to memory of 2104	1932	0b26eab73b57842b1b5c439df38324e9.exe	117
PID 1932 wrote to memory of 1892	1932	0b26eab73b57842b1b5c439df38324e9.exe	118
PID 1932 wrote to memory of 1892	1932	0b26eab73b57842b1b5c439df38324e9.exe	118
PID 1932 wrote to memory of 3844	1932	0b26eab73b57842b1b5c439df38324e9.exe	129
PID 1932 wrote to memory of 3844	1932	0b26eab73b57842b1b5c439df38324e9.exe	129

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0b26eab73b57842b1b5c439df38324e9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0b26eab73b57842b1b5c439df38324e9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0b26eab73b57842b1b5c439df38324e9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe

C:\Users\Admin\AppData\Local\Temp\0b26eab73b57842b1b5c439df38324e9.exe
"C:\Users\Admin\AppData\Local\Temp\0b26eab73b57842b1b5c439df38324e9.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0b26eab73b57842b1b5c439df38324e9.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\RuntimeBroker.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\upfc.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsass.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\SppExtComObj.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\StartMenuExperienceHost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\RuntimeBroker.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\1040\dllhost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4600
- C:\Windows\Cursors\SppExtComObj.exe
  "C:\Windows\Cursors\SppExtComObj.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:3844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Windows\tracing\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\tracing\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Windows\tracing\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\Microsoft.NET\Framework\1040\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Framework\1040\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\Microsoft.NET\Framework\1040\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Windows\Cursors\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\Cursors\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Windows\Cursors\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Windows\tracing\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\tracing\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Windows\tracing\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2372

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4468

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0891614f0e155566a40f00eb97757bd1

SHA1
47a3dda1b739a87b03eccdea879d9e7c4f38d539

SHA256
f46b2c3183a0c01b2b17abce73225cd6742796c709c4248bb5d44a2ddf282d10

SHA512
99d8dbb91e6d372c80df2d922534448b23db3721fad802d130ff0ea92b90cdc3607fbbf02554c0bf0a388ce28d0669125597f15f3ee5c62d44470bc34920a73a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0891614f0e155566a40f00eb97757bd1

SHA1
47a3dda1b739a87b03eccdea879d9e7c4f38d539

SHA256
f46b2c3183a0c01b2b17abce73225cd6742796c709c4248bb5d44a2ddf282d10

SHA512
99d8dbb91e6d372c80df2d922534448b23db3721fad802d130ff0ea92b90cdc3607fbbf02554c0bf0a388ce28d0669125597f15f3ee5c62d44470bc34920a73a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Windows\Cursors\SppExtComObj.exe

Filesize
2.6MB

MD5
a9f9e9db2a44b02aa1624c4f19ffc69b

SHA1
1c54d990092501669b3c8192e96c30fa6890555b

SHA256
3734e06250bcda282bdd84970bcdbb489569190a55daa7fe525c6941f969a048

SHA512
08b682ac443f20ec5bd4511c78446fff42e4c70c55f0b8dbf0cb223680384cac9c57cec2d4782518dc449efd4f89cf4d70aac621d1a86e2211b055b2f4b3abf1

Download Submit
C:\Windows\Cursors\SppExtComObj.exe

Filesize
2.6MB

MD5
a9f9e9db2a44b02aa1624c4f19ffc69b

SHA1
1c54d990092501669b3c8192e96c30fa6890555b

SHA256
3734e06250bcda282bdd84970bcdbb489569190a55daa7fe525c6941f969a048

SHA512
08b682ac443f20ec5bd4511c78446fff42e4c70c55f0b8dbf0cb223680384cac9c57cec2d4782518dc449efd4f89cf4d70aac621d1a86e2211b055b2f4b3abf1

Download Submit
memory/1832-151-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/1832-173-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/1892-157-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/1892-182-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/1932-159-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/1932-136-0x000000001DBD0000-0x000000001DBD4000-memory.dmp

Filesize
16KB

Download
memory/1932-133-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/1932-134-0x000000001CF60000-0x000000001D488000-memory.dmp

Filesize
5.2MB

Download
memory/1932-135-0x000000001B179000-0x000000001B17F000-memory.dmp

Filesize
24KB

Download
memory/1932-137-0x000000001DBD4000-0x000000001DBD7000-memory.dmp

Filesize
12KB

Download
memory/1932-163-0x000000001DBD4000-0x000000001DBD7000-memory.dmp

Filesize
12KB

Download
memory/1932-162-0x000000001DBD0000-0x000000001DBD4000-memory.dmp

Filesize
16KB

Download
memory/1932-132-0x00000000002E0000-0x0000000000584000-memory.dmp

Filesize
2.6MB

Download
memory/1932-160-0x000000001B179000-0x000000001B17F000-memory.dmp

Filesize
24KB

Download
memory/2104-169-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/2104-161-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/2368-176-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/2368-149-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/2664-150-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/2664-180-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/2680-168-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/2680-164-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/3844-158-0x00000000003F0000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/3844-186-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/3844-187-0x00000000026B9000-0x00000000026BF000-memory.dmp

Filesize
24KB

Download
memory/3844-171-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/3844-184-0x00000000026B9000-0x00000000026BF000-memory.dmp

Filesize
24KB

Download
memory/3844-185-0x000000001EC10000-0x000000001EDD2000-memory.dmp

Filesize
1.8MB

Download
memory/4428-152-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/4428-170-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/4600-181-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/4600-153-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/4600-147-0x000001AC21950000-0x000001AC21972000-memory.dmp

Filesize
136KB

Download
memory/5084-183-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/5084-148-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download