dcrat | 561c42758fa04340f8d121384f586adfe1a032e1dcdf7580e5047a7e7dc42e8c

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-09-2022 03:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12312de68052a05888a9cf9d804cec6c.exe
Size

2.6MB
MD5

12312de68052a05888a9cf9d804cec6c
SHA1

ddae2aaadb5b462c95a768d15b9cbb8ddc97571f
SHA256

561c42758fa04340f8d121384f586adfe1a032e1dcdf7580e5047a7e7dc42e8c
SHA512

02f0c91703a50c57f7ab24b05676933d8ce102a0da608a610b6fb066dffed1a32affe6dcdccb9aeb79c1714b134ada7b2c2a9219f8d3d6ed2cf13b4fa8348630
SSDEEP

49152:XpTn80rAHkSrvT7yEBpojAGw3fo+5D0gRbfGNW8UlbSpDCP2XF:XZpktrvTOqp2Nw3L0gRbfGI8sepeu1

Score

10^/10

dcrat evasion infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	920	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	920	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	920	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	920	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	920	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	920	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	920	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	920	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	920	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	920	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	920	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	920	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

12312de68052a05888a9cf9d804cec6c.exewinlogon.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	12312de68052a05888a9cf9d804cec6c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	12312de68052a05888a9cf9d804cec6c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	12312de68052a05888a9cf9d804cec6c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1084-54-0x0000000001370000-0x0000000001614000-memory.dmp	dcrat
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe	dcrat
behavioral1/memory/1480-100-0x0000000000DC0000-0x0000000001064000-memory.dmp	dcrat
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe	dcrat

Executes dropped EXE 1 IoCs

Processes:

winlogon.exe

pid process

1480 winlogon.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1480	winlogon.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

winlogon.exe12312de68052a05888a9cf9d804cec6c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	12312de68052a05888a9cf9d804cec6c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	12312de68052a05888a9cf9d804cec6c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ipinfo.io
7 ipinfo.io

flow	ioc
6	ipinfo.io
7	ipinfo.io

Drops file in Program Files directory 5 IoCs

Processes:

12312de68052a05888a9cf9d804cec6c.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\dwm.exe	12312de68052a05888a9cf9d804cec6c.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\6cb0b6c459d5d3	12312de68052a05888a9cf9d804cec6c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\RCX33F3.tmp	12312de68052a05888a9cf9d804cec6c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\RCX378C.tmp	12312de68052a05888a9cf9d804cec6c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\dwm.exe	12312de68052a05888a9cf9d804cec6c.exe

Drops file in Windows directory 5 IoCs

Processes:

12312de68052a05888a9cf9d804cec6c.exe

description	ioc	process
File opened for modification	C:\Windows\addins\RCX2B3B.tmp	12312de68052a05888a9cf9d804cec6c.exe
File opened for modification	C:\Windows\addins\csrss.exe	12312de68052a05888a9cf9d804cec6c.exe
File created	C:\Windows\addins\csrss.exe	12312de68052a05888a9cf9d804cec6c.exe
File created	C:\Windows\addins\886983d96e3d3e	12312de68052a05888a9cf9d804cec6c.exe
File opened for modification	C:\Windows\addins\RCX27B1.tmp	12312de68052a05888a9cf9d804cec6c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1488	schtasks.exe
532	schtasks.exe
1036	schtasks.exe
1888	schtasks.exe
1964	schtasks.exe
468	schtasks.exe
1348	schtasks.exe
604	schtasks.exe
1740	schtasks.exe
668	schtasks.exe
1436	schtasks.exe
1988	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

12312de68052a05888a9cf9d804cec6c.exewinlogon.exe

pid	process
1084	12312de68052a05888a9cf9d804cec6c.exe
1084	12312de68052a05888a9cf9d804cec6c.exe
1084	12312de68052a05888a9cf9d804cec6c.exe
1084	12312de68052a05888a9cf9d804cec6c.exe
1084	12312de68052a05888a9cf9d804cec6c.exe
1084	12312de68052a05888a9cf9d804cec6c.exe
1084	12312de68052a05888a9cf9d804cec6c.exe
1084	12312de68052a05888a9cf9d804cec6c.exe
1084	12312de68052a05888a9cf9d804cec6c.exe
1084	12312de68052a05888a9cf9d804cec6c.exe
1084	12312de68052a05888a9cf9d804cec6c.exe
1084	12312de68052a05888a9cf9d804cec6c.exe
1084	12312de68052a05888a9cf9d804cec6c.exe
1084	12312de68052a05888a9cf9d804cec6c.exe
1084	12312de68052a05888a9cf9d804cec6c.exe
1084	12312de68052a05888a9cf9d804cec6c.exe
1084	12312de68052a05888a9cf9d804cec6c.exe
1084	12312de68052a05888a9cf9d804cec6c.exe
1084	12312de68052a05888a9cf9d804cec6c.exe
1084	12312de68052a05888a9cf9d804cec6c.exe
1084	12312de68052a05888a9cf9d804cec6c.exe
1084	12312de68052a05888a9cf9d804cec6c.exe
1084	12312de68052a05888a9cf9d804cec6c.exe
1084	12312de68052a05888a9cf9d804cec6c.exe
1084	12312de68052a05888a9cf9d804cec6c.exe
1084	12312de68052a05888a9cf9d804cec6c.exe
1084	12312de68052a05888a9cf9d804cec6c.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

winlogon.exe

pid process

1480 winlogon.exe

pid	process
1480	winlogon.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

12312de68052a05888a9cf9d804cec6c.exewinlogon.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1084	12312de68052a05888a9cf9d804cec6c.exe
Token: SeDebugPrivilege	1480	winlogon.exe
Token: SeDebugPrivilege	1836	powershell.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	672	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeBackupPrivilege	1740	vssvc.exe
Token: SeRestorePrivilege	1740	vssvc.exe
Token: SeAuditPrivilege	1740	vssvc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

winlogon.exe

pid process

1480 winlogon.exe

pid	process
1480	winlogon.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

12312de68052a05888a9cf9d804cec6c.execmd.exe

description	pid	process	target process
PID 1084 wrote to memory of 1568	1084	12312de68052a05888a9cf9d804cec6c.exe	powershell.exe
PID 1084 wrote to memory of 1568	1084	12312de68052a05888a9cf9d804cec6c.exe	powershell.exe
PID 1084 wrote to memory of 1568	1084	12312de68052a05888a9cf9d804cec6c.exe	powershell.exe
PID 1084 wrote to memory of 672	1084	12312de68052a05888a9cf9d804cec6c.exe	powershell.exe
PID 1084 wrote to memory of 672	1084	12312de68052a05888a9cf9d804cec6c.exe	powershell.exe
PID 1084 wrote to memory of 672	1084	12312de68052a05888a9cf9d804cec6c.exe	powershell.exe
PID 1084 wrote to memory of 908	1084	12312de68052a05888a9cf9d804cec6c.exe	powershell.exe
PID 1084 wrote to memory of 908	1084	12312de68052a05888a9cf9d804cec6c.exe	powershell.exe
PID 1084 wrote to memory of 908	1084	12312de68052a05888a9cf9d804cec6c.exe	powershell.exe
PID 1084 wrote to memory of 1836	1084	12312de68052a05888a9cf9d804cec6c.exe	powershell.exe
PID 1084 wrote to memory of 1836	1084	12312de68052a05888a9cf9d804cec6c.exe	powershell.exe
PID 1084 wrote to memory of 1836	1084	12312de68052a05888a9cf9d804cec6c.exe	powershell.exe
PID 1084 wrote to memory of 1692	1084	12312de68052a05888a9cf9d804cec6c.exe	powershell.exe
PID 1084 wrote to memory of 1692	1084	12312de68052a05888a9cf9d804cec6c.exe	powershell.exe
PID 1084 wrote to memory of 1692	1084	12312de68052a05888a9cf9d804cec6c.exe	powershell.exe
PID 1084 wrote to memory of 1552	1084	12312de68052a05888a9cf9d804cec6c.exe	cmd.exe
PID 1084 wrote to memory of 1552	1084	12312de68052a05888a9cf9d804cec6c.exe	cmd.exe
PID 1084 wrote to memory of 1552	1084	12312de68052a05888a9cf9d804cec6c.exe	cmd.exe
PID 1552 wrote to memory of 1576	1552	cmd.exe	w32tm.exe
PID 1552 wrote to memory of 1576	1552	cmd.exe	w32tm.exe
PID 1552 wrote to memory of 1576	1552	cmd.exe	w32tm.exe
PID 1552 wrote to memory of 1480	1552	cmd.exe	winlogon.exe
PID 1552 wrote to memory of 1480	1552	cmd.exe	winlogon.exe
PID 1552 wrote to memory of 1480	1552	cmd.exe	winlogon.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

12312de68052a05888a9cf9d804cec6c.exewinlogon.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	12312de68052a05888a9cf9d804cec6c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	12312de68052a05888a9cf9d804cec6c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	12312de68052a05888a9cf9d804cec6c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\12312de68052a05888a9cf9d804cec6c.exe
"C:\Users\Admin\AppData\Local\Temp\12312de68052a05888a9cf9d804cec6c.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\12312de68052a05888a9cf9d804cec6c.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\csrss.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\dwm.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Pictures\csrss.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9uBXwmdMRj.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:1576

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe
"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe"
3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\addins\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\addins\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\addins\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Pictures\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:604

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2236

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe
Filesize
2.6MB

MD5
e9f2ea26789d5f39304b4dfc46d31eb6

SHA1
b323f9f8003f16d7176983a66a962e844be466d7

SHA256
c5551c7f4aeaf09f3d7f23f320d28ae0779e0164716c6adedbc9c11841390cc9

SHA512
c74a93cef499e647253a55fa44f54f14147cb9cb9aade5279e480d7afba744d30610594adb42888992ee26b1fa8bd67ed6e683be82b1126d11a066a235847664

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe
Filesize
2.6MB

MD5
e9f2ea26789d5f39304b4dfc46d31eb6

SHA1
b323f9f8003f16d7176983a66a962e844be466d7

SHA256
c5551c7f4aeaf09f3d7f23f320d28ae0779e0164716c6adedbc9c11841390cc9

SHA512
c74a93cef499e647253a55fa44f54f14147cb9cb9aade5279e480d7afba744d30610594adb42888992ee26b1fa8bd67ed6e683be82b1126d11a066a235847664

Download Submit
C:\Users\Admin\AppData\Local\Temp\9uBXwmdMRj.bat
Filesize
240B

MD5
2dde2d2ff0f0dd612045488d72eae23c

SHA1
ba9189eaf34c10635e10b791d2b4a96048ee4799

SHA256
eecf93d25846326990660da1de2e5be6209a8f3e91ca7069e2094eb67672bcdf

SHA512
6b873eb2bd030846b7032be473cbfb589a668103a49701233a626e0273911b54acc767cf2fde31b40f769b6429745ebfdf09e191d05e68e26b8a44d4c6a7ad33

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
1c60992d1eea8d4ad2be74bcdd471e34

SHA1
d5d73fd794f7c7623a049b651c98b3724e9c2f23

SHA256
1e28cde69420ce1cd3293bf35ab9cff867062b3110ea480bb141ba2fe8c41028

SHA512
6b6ab9db8776d10a64ab1cd8e64fe21b8e9204455a050e7ce67b7c87f4f8ae474df2993745f90d5842d2f35e4acce936319a93bc147611553e04dd0483b59c82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
1c60992d1eea8d4ad2be74bcdd471e34

SHA1
d5d73fd794f7c7623a049b651c98b3724e9c2f23

SHA256
1e28cde69420ce1cd3293bf35ab9cff867062b3110ea480bb141ba2fe8c41028

SHA512
6b6ab9db8776d10a64ab1cd8e64fe21b8e9204455a050e7ce67b7c87f4f8ae474df2993745f90d5842d2f35e4acce936319a93bc147611553e04dd0483b59c82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
1c60992d1eea8d4ad2be74bcdd471e34

SHA1
d5d73fd794f7c7623a049b651c98b3724e9c2f23

SHA256
1e28cde69420ce1cd3293bf35ab9cff867062b3110ea480bb141ba2fe8c41028

SHA512
6b6ab9db8776d10a64ab1cd8e64fe21b8e9204455a050e7ce67b7c87f4f8ae474df2993745f90d5842d2f35e4acce936319a93bc147611553e04dd0483b59c82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
1c60992d1eea8d4ad2be74bcdd471e34

SHA1
d5d73fd794f7c7623a049b651c98b3724e9c2f23

SHA256
1e28cde69420ce1cd3293bf35ab9cff867062b3110ea480bb141ba2fe8c41028

SHA512
6b6ab9db8776d10a64ab1cd8e64fe21b8e9204455a050e7ce67b7c87f4f8ae474df2993745f90d5842d2f35e4acce936319a93bc147611553e04dd0483b59c82

Download Submit
memory/672-113-0x000000001B820000-0x000000001BB1F000-memory.dmp

Filesize
3.0MB

Download
memory/672-85-0x000007FEEA9F0000-0x000007FEEB413000-memory.dmp

Filesize
10.1MB

Download
memory/672-106-0x00000000029E4000-0x00000000029E7000-memory.dmp

Filesize
12KB

Download
memory/672-127-0x00000000029E4000-0x00000000029E7000-memory.dmp

Filesize
12KB

Download
memory/672-75-0x0000000000000000-mapping.dmp

Download
memory/672-103-0x000007FEE8EC0000-0x000007FEE9A1D000-memory.dmp

Filesize
11.4MB

Download
memory/672-128-0x00000000029EB000-0x0000000002A0A000-memory.dmp

Filesize
124KB

Download
memory/672-119-0x00000000029EB000-0x0000000002A0A000-memory.dmp

Filesize
124KB

Download
memory/908-118-0x000000000247B000-0x000000000249A000-memory.dmp

Filesize
124KB

Download
memory/908-102-0x000007FEE8EC0000-0x000007FEE9A1D000-memory.dmp

Filesize
11.4MB

Download
memory/908-115-0x000000001B790000-0x000000001BA8F000-memory.dmp

Filesize
3.0MB

Download
memory/908-96-0x000007FEEA9F0000-0x000007FEEB413000-memory.dmp

Filesize
10.1MB

Download
memory/908-105-0x0000000002474000-0x0000000002477000-memory.dmp

Filesize
12KB

Download
memory/908-131-0x000000000247B000-0x000000000249A000-memory.dmp

Filesize
124KB

Download
memory/908-76-0x0000000000000000-mapping.dmp

Download
memory/908-130-0x0000000002474000-0x0000000002477000-memory.dmp

Filesize
12KB

Download
memory/1084-61-0x0000000000510000-0x000000000051A000-memory.dmp

Filesize
40KB

Download
memory/1084-67-0x0000000000C90000-0x0000000000C9C000-memory.dmp

Filesize
48KB

Download
memory/1084-72-0x0000000000E30000-0x0000000000E3C000-memory.dmp

Filesize
48KB

Download
memory/1084-71-0x0000000000E20000-0x0000000000E28000-memory.dmp

Filesize
32KB

Download
memory/1084-60-0x0000000000B70000-0x0000000000B80000-memory.dmp

Filesize
64KB

Download
memory/1084-70-0x0000000000D30000-0x0000000000D3E000-memory.dmp

Filesize
56KB

Download
memory/1084-59-0x0000000000B50000-0x0000000000B62000-memory.dmp

Filesize
72KB

Download
memory/1084-58-0x0000000000500000-0x0000000000508000-memory.dmp

Filesize
32KB

Download
memory/1084-69-0x0000000000D40000-0x0000000000D48000-memory.dmp

Filesize
32KB

Download
memory/1084-68-0x0000000000CA0000-0x0000000000CAC000-memory.dmp

Filesize
48KB

Download
memory/1084-95-0x000000001B1F6000-0x000000001B215000-memory.dmp

Filesize
124KB

Download
memory/1084-73-0x000000001B1F6000-0x000000001B215000-memory.dmp

Filesize
124KB

Download
memory/1084-56-0x00000000004E0000-0x00000000004E8000-memory.dmp

Filesize
32KB

Download
memory/1084-66-0x0000000000C20000-0x0000000000C32000-memory.dmp

Filesize
72KB

Download
memory/1084-55-0x00000000004D0000-0x00000000004DE000-memory.dmp

Filesize
56KB

Download
memory/1084-54-0x0000000001370000-0x0000000001614000-memory.dmp

Filesize
2.6MB

Download
memory/1084-65-0x0000000000B90000-0x0000000000B98000-memory.dmp

Filesize
32KB

Download
memory/1084-62-0x0000000000DD0000-0x0000000000E26000-memory.dmp

Filesize
344KB

Download
memory/1084-57-0x00000000004F0000-0x0000000000500000-memory.dmp

Filesize
64KB

Download
memory/1084-64-0x0000000000B80000-0x0000000000B8C000-memory.dmp

Filesize
48KB

Download
memory/1084-63-0x0000000000B60000-0x0000000000B6C000-memory.dmp

Filesize
48KB

Download
memory/1480-101-0x000000001B456000-0x000000001B475000-memory.dmp

Filesize
124KB

Download
memory/1480-112-0x000000001B456000-0x000000001B475000-memory.dmp

Filesize
124KB

Download
memory/1480-100-0x0000000000DC0000-0x0000000001064000-memory.dmp

Filesize
2.6MB

Download
memory/1480-98-0x0000000000000000-mapping.dmp

Download
memory/1552-92-0x0000000000000000-mapping.dmp

Download
memory/1568-74-0x0000000000000000-mapping.dmp

Download
memory/1568-89-0x000007FEEA9F0000-0x000007FEEB413000-memory.dmp

Filesize
10.1MB

Download
memory/1568-79-0x000007FEFB761000-0x000007FEFB763000-memory.dmp

Filesize
8KB

Download
memory/1568-126-0x00000000027BB000-0x00000000027DA000-memory.dmp

Filesize
124KB

Download
memory/1568-110-0x000007FEE8EC0000-0x000007FEE9A1D000-memory.dmp

Filesize
11.4MB

Download
memory/1568-108-0x00000000027B4000-0x00000000027B7000-memory.dmp

Filesize
12KB

Download
memory/1568-125-0x00000000027B4000-0x00000000027B7000-memory.dmp

Filesize
12KB

Download
memory/1568-122-0x00000000027BB000-0x00000000027DA000-memory.dmp

Filesize
124KB

Download
memory/1568-114-0x000000001B890000-0x000000001BB8F000-memory.dmp

Filesize
3.0MB

Download
memory/1576-94-0x0000000000000000-mapping.dmp

Download
memory/1692-117-0x000000001B8C0000-0x000000001BBBF000-memory.dmp

Filesize
3.0MB

Download
memory/1692-111-0x000007FEE8EC0000-0x000007FEE9A1D000-memory.dmp

Filesize
11.4MB

Download
memory/1692-109-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/1692-121-0x000000000294B000-0x000000000296A000-memory.dmp

Filesize
124KB

Download
memory/1692-78-0x0000000000000000-mapping.dmp

Download
memory/1692-91-0x000007FEEA9F0000-0x000007FEEB413000-memory.dmp

Filesize
10.1MB

Download
memory/1692-123-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/1692-124-0x000000000294B000-0x000000000296A000-memory.dmp

Filesize
124KB

Download
memory/1836-104-0x000007FEE8EC0000-0x000007FEE9A1D000-memory.dmp

Filesize
11.4MB

Download
memory/1836-116-0x000000001B7D0000-0x000000001BACF000-memory.dmp

Filesize
3.0MB

Download
memory/1836-90-0x000007FEEA9F0000-0x000007FEEB413000-memory.dmp

Filesize
10.1MB

Download
memory/1836-107-0x00000000024F4000-0x00000000024F7000-memory.dmp

Filesize
12KB

Download
memory/1836-77-0x0000000000000000-mapping.dmp

Download
memory/1836-120-0x00000000024FB000-0x000000000251A000-memory.dmp

Filesize
124KB

Download
memory/1836-129-0x00000000024F4000-0x00000000024F7000-memory.dmp

Filesize
12KB

Download
memory/1836-132-0x00000000024FB000-0x000000000251A000-memory.dmp

Filesize
124KB

Download