dcrat | 6d95012691b58c36574d4b1061b07e0a8340909664908e991fad91028777fdd1

Resubmissions

12-01-2023 20:01

230112-yrh6hsae52 10

07-01-2023 04:41

230107-fa3jqagb8t 10

07-01-2023 04:21

230107-eynj2acf87 10

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
12-01-2023 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Size

3.8MB
MD5

0a0a64f3c4fa7d960be983aa0a7d0ce8
SHA1

b597c7397ecaff7c5c1aa27f5124fc7b8a94e643
SHA256

6d95012691b58c36574d4b1061b07e0a8340909664908e991fad91028777fdd1
SHA512

ef04e3eb8f2b10dae6845b97fa66086c3d02c5508adcd1923a93975c88f1ad0f80f984b563c36c4868276670b1dee9e11ae3c57faf7b0509118d121d920df7d4
SSDEEP

98304:F7b3a0t2TiPhx6Sp+ybfnDA4qo34n1oO:FH3Z8cp+gDZ4n1

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat 13 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe0a0a64f3c4fa7d960be983aa0a7d0ce8.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1848	schtasks.exe
1568	schtasks.exe
980	schtasks.exe
1524	schtasks.exe
1600	schtasks.exe
2036	schtasks.exe
1980	schtasks.exe
1988	schtasks.exe
1724	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
660	schtasks.exe
1468	schtasks.exe
840	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\31001cc2-2a3d-11ed-9244-9c23e66b04e4\\sppsvc.exe\", \"C:\\Program Files\\Windows Portable Devices\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Idle.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\31001cc2-2a3d-11ed-9244-9c23e66b04e4\\sppsvc.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\31001cc2-2a3d-11ed-9244-9c23e66b04e4\\sppsvc.exe\", \"C:\\Program Files\\Windows Portable Devices\\csrss.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\31001cc2-2a3d-11ed-9244-9c23e66b04e4\\sppsvc.exe\", \"C:\\Program Files\\Windows Portable Devices\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	1316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	1316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	1316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	1316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	1316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	1316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	1316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	1316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	1316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	1316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	1316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	1316	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

0a0a64f3c4fa7d960be983aa0a7d0ce8.execsrss.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2016-54-0x0000000000CB0000-0x000000000107A000-memory.dmp	dcrat
C:\Program Files\Windows Portable Devices\csrss.exe	dcrat
C:\Program Files\Windows Portable Devices\csrss.exe	dcrat
behavioral1/memory/1524-95-0x0000000001380000-0x000000000174A000-memory.dmp	dcrat

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

1524 csrss.exe

pid	process
1524	csrss.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\31001cc2-2a3d-11ed-9244-9c23e66b04e4\\sppsvc.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Portable Devices\\csrss.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Portable Devices\\csrss.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Idle.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Idle.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\31001cc2-2a3d-11ed-9244-9c23e66b04e4\\sppsvc.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

0a0a64f3c4fa7d960be983aa0a7d0ce8.execsrss.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ipinfo.io
8 ipinfo.io

flow	ioc
7	ipinfo.io
8	ipinfo.io

Drops file in Program Files directory 10 IoCs

Processes:

0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Portable Devices\RCX1A3B.tmp	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX31E4.tmp	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File created	C:\Program Files\Windows Portable Devices\csrss.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\6ccacd8608530f	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX16D0.tmp	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX2E69.tmp	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File created	C:\Program Files\Windows Portable Devices\886983d96e3d3e	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files\Windows Portable Devices\csrss.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1568	schtasks.exe
1524	schtasks.exe
1980	schtasks.exe
1468	schtasks.exe
1848	schtasks.exe
1988	schtasks.exe
660	schtasks.exe
840	schtasks.exe
1600	schtasks.exe
980	schtasks.exe
1724	schtasks.exe
2036	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

0a0a64f3c4fa7d960be983aa0a7d0ce8.execsrss.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2016	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
1524	csrss.exe
1700	powershell.exe
884	powershell.exe
908	powershell.exe
1068	powershell.exe
1740	powershell.exe
1524	csrss.exe
1524	csrss.exe
1524	csrss.exe
1524	csrss.exe
1524	csrss.exe
1524	csrss.exe
1524	csrss.exe
1524	csrss.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

0a0a64f3c4fa7d960be983aa0a7d0ce8.execsrss.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2016	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Token: SeDebugPrivilege	1524	csrss.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	884	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeBackupPrivilege	832	vssvc.exe
Token: SeRestorePrivilege	832	vssvc.exe
Token: SeAuditPrivilege	832	vssvc.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

0a0a64f3c4fa7d960be983aa0a7d0ce8.execsrss.exe

description	pid	process	target process
PID 2016 wrote to memory of 908	2016	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2016 wrote to memory of 908	2016	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2016 wrote to memory of 908	2016	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2016 wrote to memory of 1740	2016	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2016 wrote to memory of 1740	2016	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2016 wrote to memory of 1740	2016	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2016 wrote to memory of 1068	2016	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2016 wrote to memory of 1068	2016	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2016 wrote to memory of 1068	2016	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2016 wrote to memory of 884	2016	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2016 wrote to memory of 884	2016	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2016 wrote to memory of 884	2016	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2016 wrote to memory of 1700	2016	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2016 wrote to memory of 1700	2016	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2016 wrote to memory of 1700	2016	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2016 wrote to memory of 1524	2016	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	csrss.exe
PID 2016 wrote to memory of 1524	2016	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	csrss.exe
PID 2016 wrote to memory of 1524	2016	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	csrss.exe
PID 1524 wrote to memory of 912	1524	csrss.exe	WScript.exe
PID 1524 wrote to memory of 912	1524	csrss.exe	WScript.exe
PID 1524 wrote to memory of 912	1524	csrss.exe	WScript.exe
PID 1524 wrote to memory of 512	1524	csrss.exe	WScript.exe
PID 1524 wrote to memory of 512	1524	csrss.exe	WScript.exe
PID 1524 wrote to memory of 512	1524	csrss.exe	WScript.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

csrss.exe0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe

C:\Users\Admin\AppData\Local\Temp\0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
"C:\Users\Admin\AppData\Local\Temp\0a0a64f3c4fa7d960be983aa0a7d0ce8.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0a0a64f3c4fa7d960be983aa0a7d0ce8.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\csrss.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\sppsvc.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Program Files\Windows Portable Devices\csrss.exe
"C:\Program Files\Windows Portable Devices\csrss.exe"
2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1524

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a36e3c01-92f6-4a98-9e42-75eb51bed56f.vbs"
3⤵
PID:912

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ede3c637-87ac-4e38-b101-49ba98af4701.vbs"
3⤵
PID:512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:840

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:832

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Portable Devices\csrss.exe
Filesize
3.8MB

MD5
9b241788121de3bd3dfad7ca14a0bf2e

SHA1
431baca2c20b360b69a074fdda1da5e0421bedee

SHA256
b290abb610753226176527e403b05cefc0f6c448efb0a5004db8ec6d6013f363

SHA512
c36a8635c34afb4d2180aa1b94ccbe461740739a7e06329e4e29eefcf86fdaad833cdf03a201aeab98c17eb6c054d818c1fae1133bb58528e55f0bf118740b03

Download Submit
C:\Program Files\Windows Portable Devices\csrss.exe
Filesize
3.8MB

MD5
9b241788121de3bd3dfad7ca14a0bf2e

SHA1
431baca2c20b360b69a074fdda1da5e0421bedee

SHA256
b290abb610753226176527e403b05cefc0f6c448efb0a5004db8ec6d6013f363

SHA512
c36a8635c34afb4d2180aa1b94ccbe461740739a7e06329e4e29eefcf86fdaad833cdf03a201aeab98c17eb6c054d818c1fae1133bb58528e55f0bf118740b03

Download Submit
C:\Users\Admin\AppData\Local\Temp\a36e3c01-92f6-4a98-9e42-75eb51bed56f.vbs
Filesize
727B

MD5
3e2fbd4fea1dd1e60b3790705d6ccaaf

SHA1
8b952d662962f2bf07ab386bd982e7695cd1f146

SHA256
34b339116856d2cdc29a5fd13392311b64c012cb637785edb007a8d5da6b29f1

SHA512
062f3d597188951258edc766985549338a7d00dc1fe97733e326cd356e80131b08a3ca90d9801306a58598149c8a1cf67159e9475db86ad61e87edebeef19288

Download Submit
C:\Users\Admin\AppData\Local\Temp\ede3c637-87ac-4e38-b101-49ba98af4701.vbs
Filesize
503B

MD5
f5296a9810ba6106fba005cfd07ae73d

SHA1
06e123d5450aaf50b1d7797adb1bc05252b6a7fb

SHA256
cee4eb8ed55d393745ec827718f1de945bb6fcb268beb3a03d08aa8d769f1550

SHA512
19a6554effb357714a46335dcb8651458228a2a167f8d5445c588f3a87e3a047688fad83b4eea9afc3bf10fe98b45cf7e0d9e83f41382b809212de537ab8f947

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
c4214ac4b181dcceb1e8705d5f830408

SHA1
edb6e80ed58c157f144c73ddbb38018b054fcd4c

SHA256
ca8d869069f0358740f7c20f68be3f2de25d5c6c00aaf780039850ec38b839ae

SHA512
d66faf27dde8ca4f6dfccff4b46c09ac3a625da0c5a5e3c043dc50fa709dd425147c9b395d84b70900e9ee7574c24a954c3aa96779755cd1cc4eaa2f2e235584

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
c4214ac4b181dcceb1e8705d5f830408

SHA1
edb6e80ed58c157f144c73ddbb38018b054fcd4c

SHA256
ca8d869069f0358740f7c20f68be3f2de25d5c6c00aaf780039850ec38b839ae

SHA512
d66faf27dde8ca4f6dfccff4b46c09ac3a625da0c5a5e3c043dc50fa709dd425147c9b395d84b70900e9ee7574c24a954c3aa96779755cd1cc4eaa2f2e235584

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
c4214ac4b181dcceb1e8705d5f830408

SHA1
edb6e80ed58c157f144c73ddbb38018b054fcd4c

SHA256
ca8d869069f0358740f7c20f68be3f2de25d5c6c00aaf780039850ec38b839ae

SHA512
d66faf27dde8ca4f6dfccff4b46c09ac3a625da0c5a5e3c043dc50fa709dd425147c9b395d84b70900e9ee7574c24a954c3aa96779755cd1cc4eaa2f2e235584

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
c4214ac4b181dcceb1e8705d5f830408

SHA1
edb6e80ed58c157f144c73ddbb38018b054fcd4c

SHA256
ca8d869069f0358740f7c20f68be3f2de25d5c6c00aaf780039850ec38b839ae

SHA512
d66faf27dde8ca4f6dfccff4b46c09ac3a625da0c5a5e3c043dc50fa709dd425147c9b395d84b70900e9ee7574c24a954c3aa96779755cd1cc4eaa2f2e235584

Download Submit
memory/512-112-0x0000000000000000-mapping.dmp

Download
memory/884-117-0x000000001B790000-0x000000001BA8F000-memory.dmp

Filesize
3.0MB

Download
memory/884-98-0x000007FEEB310000-0x000007FEEBD33000-memory.dmp

Filesize
10.1MB

Download
memory/884-121-0x0000000002244000-0x0000000002247000-memory.dmp

Filesize
12KB

Download
memory/884-79-0x0000000000000000-mapping.dmp

Download
memory/884-101-0x000007FEEDD70000-0x000007FEEE8CD000-memory.dmp

Filesize
11.4MB

Download
memory/884-131-0x000000000224B000-0x000000000226A000-memory.dmp

Filesize
124KB

Download
memory/884-129-0x0000000002244000-0x0000000002247000-memory.dmp

Filesize
12KB

Download
memory/884-106-0x0000000002244000-0x0000000002247000-memory.dmp

Filesize
12KB

Download
memory/908-85-0x000007FEEB310000-0x000007FEEBD33000-memory.dmp

Filesize
10.1MB

Download
memory/908-120-0x0000000002954000-0x0000000002957000-memory.dmp

Filesize
12KB

Download
memory/908-105-0x0000000002954000-0x0000000002957000-memory.dmp

Filesize
12KB

Download
memory/908-124-0x000000000295B000-0x000000000297A000-memory.dmp

Filesize
124KB

Download
memory/908-125-0x0000000002954000-0x0000000002957000-memory.dmp

Filesize
12KB

Download
memory/908-76-0x0000000000000000-mapping.dmp

Download
memory/908-126-0x000000000295B000-0x000000000297A000-memory.dmp

Filesize
124KB

Download
memory/908-100-0x000007FEEDD70000-0x000007FEEE8CD000-memory.dmp

Filesize
11.4MB

Download
memory/908-111-0x000000001B770000-0x000000001BA6F000-memory.dmp

Filesize
3.0MB

Download
memory/912-110-0x0000000000000000-mapping.dmp

Download
memory/1068-119-0x0000000002564000-0x0000000002567000-memory.dmp

Filesize
12KB

Download
memory/1068-96-0x000007FEEB310000-0x000007FEEBD33000-memory.dmp

Filesize
10.1MB

Download
memory/1068-102-0x000007FEEDD70000-0x000007FEEE8CD000-memory.dmp

Filesize
11.4MB

Download
memory/1068-78-0x0000000000000000-mapping.dmp

Download
memory/1068-104-0x0000000002564000-0x0000000002567000-memory.dmp

Filesize
12KB

Download
memory/1068-116-0x000000001B980000-0x000000001BC7F000-memory.dmp

Filesize
3.0MB

Download
memory/1068-134-0x000000000256B000-0x000000000258A000-memory.dmp

Filesize
124KB

Download
memory/1068-133-0x0000000002564000-0x0000000002567000-memory.dmp

Filesize
12KB

Download
memory/1524-99-0x0000000000640000-0x0000000000652000-memory.dmp

Filesize
72KB

Download
memory/1524-95-0x0000000001380000-0x000000000174A000-memory.dmp

Filesize
3.8MB

Download
memory/1524-92-0x0000000000000000-mapping.dmp

Download
memory/1700-128-0x00000000022EB000-0x000000000230A000-memory.dmp

Filesize
124KB

Download
memory/1700-97-0x000007FEEB310000-0x000007FEEBD33000-memory.dmp

Filesize
10.1MB

Download
memory/1700-103-0x000007FEEDD70000-0x000007FEEE8CD000-memory.dmp

Filesize
11.4MB

Download
memory/1700-122-0x00000000022E4000-0x00000000022E7000-memory.dmp

Filesize
12KB

Download
memory/1700-115-0x000000001B840000-0x000000001BB3F000-memory.dmp

Filesize
3.0MB

Download
memory/1700-80-0x0000000000000000-mapping.dmp

Download
memory/1700-127-0x00000000022E4000-0x00000000022E7000-memory.dmp

Filesize
12KB

Download
memory/1700-107-0x00000000022E4000-0x00000000022E7000-memory.dmp

Filesize
12KB

Download
memory/1740-81-0x000007FEFC011000-0x000007FEFC013000-memory.dmp

Filesize
8KB

Download
memory/1740-108-0x0000000002494000-0x0000000002497000-memory.dmp

Filesize
12KB

Download
memory/1740-109-0x000007FEEDD70000-0x000007FEEE8CD000-memory.dmp

Filesize
11.4MB

Download
memory/1740-132-0x000000000249B000-0x00000000024BA000-memory.dmp

Filesize
124KB

Download
memory/1740-86-0x000007FEEB310000-0x000007FEEBD33000-memory.dmp

Filesize
10.1MB

Download
memory/1740-130-0x0000000002494000-0x0000000002497000-memory.dmp

Filesize
12KB

Download
memory/1740-77-0x0000000000000000-mapping.dmp

Download
memory/1740-118-0x000000001B8F0000-0x000000001BBEF000-memory.dmp

Filesize
3.0MB

Download
memory/1740-123-0x0000000002494000-0x0000000002497000-memory.dmp

Filesize
12KB

Download
memory/2016-72-0x000000001AFB0000-0x000000001AFB8000-memory.dmp

Filesize
32KB

Download
memory/2016-63-0x0000000000B70000-0x0000000000B78000-memory.dmp

Filesize
32KB

Download
memory/2016-54-0x0000000000CB0000-0x000000000107A000-memory.dmp

Filesize
3.8MB

Download
memory/2016-64-0x0000000000C80000-0x0000000000C8C000-memory.dmp

Filesize
48KB

Download
memory/2016-65-0x0000000000C90000-0x0000000000C98000-memory.dmp

Filesize
32KB

Download
memory/2016-62-0x0000000000B40000-0x0000000000B52000-memory.dmp

Filesize
72KB

Download
memory/2016-66-0x000000001AB80000-0x000000001ABD6000-memory.dmp

Filesize
344KB

Download
memory/2016-61-0x00000000009E0000-0x00000000009EC000-memory.dmp

Filesize
48KB

Download
memory/2016-60-0x0000000000A70000-0x0000000000AC6000-memory.dmp

Filesize
344KB

Download
memory/2016-67-0x0000000000CA0000-0x0000000000CA8000-memory.dmp

Filesize
32KB

Download
memory/2016-68-0x000000001A910000-0x000000001A91A000-memory.dmp

Filesize
40KB

Download
memory/2016-59-0x00000000009D0000-0x00000000009DA000-memory.dmp

Filesize
40KB

Download
memory/2016-58-0x00000000009B0000-0x00000000009C6000-memory.dmp

Filesize
88KB

Download
memory/2016-57-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2016-69-0x000000001A920000-0x000000001A92E000-memory.dmp

Filesize
56KB

Download
memory/2016-70-0x000000001AB30000-0x000000001AB38000-memory.dmp

Filesize
32KB

Download
memory/2016-56-0x00000000004F0000-0x00000000004F8000-memory.dmp

Filesize
32KB

Download
memory/2016-71-0x000000001AFA0000-0x000000001AFAE000-memory.dmp

Filesize
56KB

Download
memory/2016-55-0x00000000004D0000-0x00000000004EC000-memory.dmp

Filesize
112KB

Download
memory/2016-73-0x000000001AFC0000-0x000000001AFCC000-memory.dmp

Filesize
48KB

Download
memory/2016-74-0x000000001AFE0000-0x000000001AFEA000-memory.dmp

Filesize
40KB

Download
memory/2016-75-0x000000001AFF0000-0x000000001AFFC000-memory.dmp

Filesize
48KB

Download