dcrat | 5d876dee883aabe22c89e9332d18d41580e7dc5c5030be843538b5a11c053a1d

Analysis

max time kernel
61s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
08-06-2023 09:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

231efb7ab5b36cda91e06456480228c1.exe
Size

1.3MB
MD5

231efb7ab5b36cda91e06456480228c1
SHA1

11edb782a254ead91bef459fb4dac0ca393ffeaf
SHA256

5d876dee883aabe22c89e9332d18d41580e7dc5c5030be843538b5a11c053a1d
SHA512

c51446bf048412031b5ea5c09b55b8c1ba8d3319eaf84cda647c0048f919a9f408220200ae1d405acd54557af9626a91e03789573a556ccafea9b7bfbcec2017
SSDEEP

24576:9urfikuV13mFFkwIuKOaZDIpw6P/KlBrJ/GB+8xNEJn:eiku13qF1jtpwG/KR/YxNEJ

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	1688	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	1688	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	1688	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	1688	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	240	1688	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	1688	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	1688	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	1688	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	1688	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1084-54-0x0000000000E50000-0x0000000000FA4000-memory.dmp	dcrat
C:\MSOCache\All Users\taskhost.exe	dcrat
C:\MSOCache\All Users\taskhost.exe	dcrat
behavioral1/memory/1512-105-0x0000000000210000-0x0000000000364000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

taskhost.exe

pid process

1512 taskhost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 ipinfo.io
6 ipinfo.io

pid	process
1512	taskhost.exe

flow	ioc
5	ipinfo.io
6	ipinfo.io

Drops file in Program Files directory 2 IoCs

Processes:

231efb7ab5b36cda91e06456480228c1.exe

description	ioc	process
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\lsm.exe	231efb7ab5b36cda91e06456480228c1.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\101b941d020240	231efb7ab5b36cda91e06456480228c1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1456	schtasks.exe
1536	schtasks.exe
944	schtasks.exe
2036	schtasks.exe
1016	schtasks.exe
332	schtasks.exe
1276	schtasks.exe
240	schtasks.exe
1012	schtasks.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

taskhost.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	taskhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	taskhost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	taskhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	taskhost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	taskhost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	taskhost.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

231efb7ab5b36cda91e06456480228c1.exepowershell.exepowershell.exepowershell.exepowershell.exetaskhost.exe

pid	process
1084	231efb7ab5b36cda91e06456480228c1.exe
1940	powershell.exe
1932	powershell.exe
1944	powershell.exe
1956	powershell.exe
1512	taskhost.exe
1512	taskhost.exe
1512	taskhost.exe
1512	taskhost.exe
1512	taskhost.exe
1512	taskhost.exe
1512	taskhost.exe
1512	taskhost.exe
1512	taskhost.exe
1512	taskhost.exe
1512	taskhost.exe
1512	taskhost.exe
1512	taskhost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

231efb7ab5b36cda91e06456480228c1.exepowershell.exepowershell.exepowershell.exepowershell.exetaskhost.exe

description	pid	process
Token: SeDebugPrivilege	1084	231efb7ab5b36cda91e06456480228c1.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	1512	taskhost.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

231efb7ab5b36cda91e06456480228c1.execmd.exe

description	pid	process	target process
PID 1084 wrote to memory of 1940	1084	231efb7ab5b36cda91e06456480228c1.exe	powershell.exe
PID 1084 wrote to memory of 1940	1084	231efb7ab5b36cda91e06456480228c1.exe	powershell.exe
PID 1084 wrote to memory of 1940	1084	231efb7ab5b36cda91e06456480228c1.exe	powershell.exe
PID 1084 wrote to memory of 1944	1084	231efb7ab5b36cda91e06456480228c1.exe	powershell.exe
PID 1084 wrote to memory of 1944	1084	231efb7ab5b36cda91e06456480228c1.exe	powershell.exe
PID 1084 wrote to memory of 1944	1084	231efb7ab5b36cda91e06456480228c1.exe	powershell.exe
PID 1084 wrote to memory of 1956	1084	231efb7ab5b36cda91e06456480228c1.exe	powershell.exe
PID 1084 wrote to memory of 1956	1084	231efb7ab5b36cda91e06456480228c1.exe	powershell.exe
PID 1084 wrote to memory of 1956	1084	231efb7ab5b36cda91e06456480228c1.exe	powershell.exe
PID 1084 wrote to memory of 1932	1084	231efb7ab5b36cda91e06456480228c1.exe	powershell.exe
PID 1084 wrote to memory of 1932	1084	231efb7ab5b36cda91e06456480228c1.exe	powershell.exe
PID 1084 wrote to memory of 1932	1084	231efb7ab5b36cda91e06456480228c1.exe	powershell.exe
PID 1084 wrote to memory of 1404	1084	231efb7ab5b36cda91e06456480228c1.exe	cmd.exe
PID 1084 wrote to memory of 1404	1084	231efb7ab5b36cda91e06456480228c1.exe	cmd.exe
PID 1084 wrote to memory of 1404	1084	231efb7ab5b36cda91e06456480228c1.exe	cmd.exe
PID 1404 wrote to memory of 1704	1404	cmd.exe	w32tm.exe
PID 1404 wrote to memory of 1704	1404	cmd.exe	w32tm.exe
PID 1404 wrote to memory of 1704	1404	cmd.exe	w32tm.exe
PID 1404 wrote to memory of 1512	1404	cmd.exe	taskhost.exe
PID 1404 wrote to memory of 1512	1404	cmd.exe	taskhost.exe
PID 1404 wrote to memory of 1512	1404	cmd.exe	taskhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\231efb7ab5b36cda91e06456480228c1.exe
"C:\Users\Admin\AppData\Local\Temp\231efb7ab5b36cda91e06456480228c1.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\231efb7ab5b36cda91e06456480228c1.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\lsm.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\lsm.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\taskhost.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\17OcEwNUD6.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:1704

C:\MSOCache\All Users\taskhost.exe
"C:\MSOCache\All Users\taskhost.exe"
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Default\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\Default\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\taskhost.exe
Filesize
1.3MB

MD5
231efb7ab5b36cda91e06456480228c1

SHA1
11edb782a254ead91bef459fb4dac0ca393ffeaf

SHA256
5d876dee883aabe22c89e9332d18d41580e7dc5c5030be843538b5a11c053a1d

SHA512
c51446bf048412031b5ea5c09b55b8c1ba8d3319eaf84cda647c0048f919a9f408220200ae1d405acd54557af9626a91e03789573a556ccafea9b7bfbcec2017

Download Submit
C:\MSOCache\All Users\taskhost.exe
Filesize
1.3MB

MD5
231efb7ab5b36cda91e06456480228c1

SHA1
11edb782a254ead91bef459fb4dac0ca393ffeaf

SHA256
5d876dee883aabe22c89e9332d18d41580e7dc5c5030be843538b5a11c053a1d

SHA512
c51446bf048412031b5ea5c09b55b8c1ba8d3319eaf84cda647c0048f919a9f408220200ae1d405acd54557af9626a91e03789573a556ccafea9b7bfbcec2017

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ce1c896f095a610a8fa75364f073887c

SHA1
3c9bf3c050052c506e6cffdcd90c6d45aaa746b1

SHA256
ed88ba12f5521841931e53fc9ecdcfc4ab0e1c010db20630cebc171307c6bfbc

SHA512
8b2ab03557af5fba4236676a63b2e16ac9f7f83260bcc80dd30e041e7e7aa581995418ad667a4519cc5795292b2b70eaa54b959ace06324b1fa7d933bfe43dcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\17OcEwNUD6.bat
Filesize
199B

MD5
4748d2d1ea0d3fca3ad457d8f0c97c27

SHA1
3908561b204e76395fd0d11f0a2f290bc4d6151d

SHA256
f7d08439a1219c66ea817df22b23c9a55e5f207d1fe93903ed17d995f6ab9042

SHA512
94b0fb8ee5e71e49a8fb71ebc2ac4aee3ec3e57820e4266f6df284b7c8f7f7d3f981671fb8daed48ef694ddbe8872b7701fee179d070b282fc478e44cfa2714f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE7A4.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEAB7.tmp
Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
54c98749b6d3dfc1a752b1e0be1ab9cd

SHA1
34fc6720215a58ee3be350e60009590b2ab1c839

SHA256
ad843ff4d5447309e52cfbec9715800657488b91134efd56be025f7bbfb13a68

SHA512
ad1b9b31857acc6ac20b215433f06adee37bb2a79f7e5aaabdf16cd6770fd5fd466006e7ebb2a7d4e19097ba09d81985d9df9a36bb0a7663a55854f52dd5c03a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
54c98749b6d3dfc1a752b1e0be1ab9cd

SHA1
34fc6720215a58ee3be350e60009590b2ab1c839

SHA256
ad843ff4d5447309e52cfbec9715800657488b91134efd56be025f7bbfb13a68

SHA512
ad1b9b31857acc6ac20b215433f06adee37bb2a79f7e5aaabdf16cd6770fd5fd466006e7ebb2a7d4e19097ba09d81985d9df9a36bb0a7663a55854f52dd5c03a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5DRBYQF7478GG66152HK.temp
Filesize
7KB

MD5
54c98749b6d3dfc1a752b1e0be1ab9cd

SHA1
34fc6720215a58ee3be350e60009590b2ab1c839

SHA256
ad843ff4d5447309e52cfbec9715800657488b91134efd56be025f7bbfb13a68

SHA512
ad1b9b31857acc6ac20b215433f06adee37bb2a79f7e5aaabdf16cd6770fd5fd466006e7ebb2a7d4e19097ba09d81985d9df9a36bb0a7663a55854f52dd5c03a

Download Submit
memory/1084-59-0x0000000000490000-0x000000000049E000-memory.dmp

Filesize
56KB

Download
memory/1084-54-0x0000000000E50000-0x0000000000FA4000-memory.dmp

Filesize
1.3MB

Download
memory/1084-60-0x00000000004A0000-0x00000000004AC000-memory.dmp

Filesize
48KB

Download
memory/1084-58-0x0000000000480000-0x000000000048E000-memory.dmp

Filesize
56KB

Download
memory/1084-57-0x00000000001F0000-0x0000000000206000-memory.dmp

Filesize
88KB

Download
memory/1084-56-0x00000000001D0000-0x00000000001EC000-memory.dmp

Filesize
112KB

Download
memory/1084-55-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download
memory/1512-105-0x0000000000210000-0x0000000000364000-memory.dmp

Filesize
1.3MB

Download
memory/1512-199-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download
memory/1512-180-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download
memory/1512-107-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download
memory/1512-108-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download
memory/1932-81-0x000000001B2A0000-0x000000001B582000-memory.dmp

Filesize
2.9MB

Download
memory/1932-95-0x00000000028CB000-0x0000000002902000-memory.dmp

Filesize
220KB

Download
memory/1932-94-0x00000000028C4000-0x00000000028C7000-memory.dmp

Filesize
12KB

Download
memory/1940-82-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

Filesize
32KB

Download
memory/1940-106-0x00000000025DB000-0x0000000002612000-memory.dmp

Filesize
220KB

Download
memory/1940-97-0x00000000025D0000-0x0000000002650000-memory.dmp

Filesize
512KB

Download
memory/1940-96-0x00000000025D0000-0x0000000002650000-memory.dmp

Filesize
512KB

Download
memory/1944-102-0x00000000023CB000-0x0000000002402000-memory.dmp

Filesize
220KB

Download
memory/1944-100-0x00000000023C0000-0x0000000002440000-memory.dmp

Filesize
512KB

Download
memory/1956-101-0x000000000292B000-0x0000000002962000-memory.dmp

Filesize
220KB

Download
memory/1956-93-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/1956-99-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/1956-98-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download