Analysis
-
max time kernel
143s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19-03-2024 17:37
Static task
static1
Behavioral task
behavioral1
Sample
d6b8c1db03cd0f282e1718daf0dc35cf.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
d6b8c1db03cd0f282e1718daf0dc35cf.exe
Resource
win10v2004-20240226-en
General
-
Target
d6b8c1db03cd0f282e1718daf0dc35cf.exe
-
Size
978KB
-
MD5
d6b8c1db03cd0f282e1718daf0dc35cf
-
SHA1
33435de2eb5be3e242bc75d3c6722e6e1a9b866c
-
SHA256
7849b02c1912451ca4703361443e161953750e9783ee237985db9cafaff76c04
-
SHA512
fa8bc7754009e447c1a87bd1e8183e5138eb2a637a6a3853f546af48a3564522b634341f2ed09117048f549953010c7fc4d67a72194121e23171f5f3f8746c27
-
SSDEEP
24576:gHmSroFu1bU2XbykgUD5G5/XjaTG5lgUChKw9NQLH:gH7k4lyzBdToG5Wj9U
Malware Config
Signatures
-
DcRat 8 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 2176 schtasks.exe 3124 schtasks.exe 1932 schtasks.exe 4544 schtasks.exe 4536 schtasks.exe 4700 schtasks.exe 1444 schtasks.exe Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation d6b8c1db03cd0f282e1718daf0dc35cf.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection d6b8c1db03cd0f282e1718daf0dc35cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" d6b8c1db03cd0f282e1718daf0dc35cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" d6b8c1db03cd0f282e1718daf0dc35cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" d6b8c1db03cd0f282e1718daf0dc35cf.exe -
Process spawned unexpected child process 7 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2176 3852 schtasks.exe 100 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3124 3852 schtasks.exe 100 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1932 3852 schtasks.exe 100 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4544 3852 schtasks.exe 100 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4536 3852 schtasks.exe 100 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4700 3852 schtasks.exe 100 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1444 3852 schtasks.exe 100 -
Turns off Windows Defender SpyNet reporting 2 TTPs
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Recovery\WindowsRE\csrss.exe = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths d6b8c1db03cd0f282e1718daf0dc35cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\d6b8c1db03cd0f282e1718daf0dc35cf.exe = "0" d6b8c1db03cd0f282e1718daf0dc35cf.exe -
resource yara_rule behavioral2/memory/4884-25-0x0000000000400000-0x00000000004AC000-memory.dmp dcrat -
Nirsoft 1 IoCs
resource yara_rule behavioral2/files/0x00090000000231e8-15.dat Nirsoft -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation d6b8c1db03cd0f282e1718daf0dc35cf.exe Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation AdvancedRun.exe Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation d6b8c1db03cd0f282e1718daf0dc35cf.exe Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation csrss.exe -
Executes dropped EXE 5 IoCs
pid Process 4876 AdvancedRun.exe 3448 AdvancedRun.exe 1664 csrss.exe 376 AdvancedRun.exe 768 csrss.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\d6b8c1db03cd0f282e1718daf0dc35cf.exe = "0" d6b8c1db03cd0f282e1718daf0dc35cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" d6b8c1db03cd0f282e1718daf0dc35cf.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet d6b8c1db03cd0f282e1718daf0dc35cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" d6b8c1db03cd0f282e1718daf0dc35cf.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions d6b8c1db03cd0f282e1718daf0dc35cf.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection d6b8c1db03cd0f282e1718daf0dc35cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" d6b8c1db03cd0f282e1718daf0dc35cf.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features d6b8c1db03cd0f282e1718daf0dc35cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" d6b8c1db03cd0f282e1718daf0dc35cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Recovery\WindowsRE\csrss.exe = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths d6b8c1db03cd0f282e1718daf0dc35cf.exe -
Adds Run key to start application 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\"" d6b8c1db03cd0f282e1718daf0dc35cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Documents and Settings\\sppsvc.exe\"" d6b8c1db03cd0f282e1718daf0dc35cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\PerfLogs\\dwm.exe\"" d6b8c1db03cd0f282e1718daf0dc35cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\System32\\wbem\\PS_MMAgent\\unsecapp.exe\"" d6b8c1db03cd0f282e1718daf0dc35cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\PerfLogs\\RuntimeBroker.exe\"" d6b8c1db03cd0f282e1718daf0dc35cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\WmiPerfClass\\WmiPrvSE.exe\"" d6b8c1db03cd0f282e1718daf0dc35cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\ProgramData\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\sppsvc.exe\"" d6b8c1db03cd0f282e1718daf0dc35cf.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\wbem\WmiPerfClass\WmiPrvSE.exe d6b8c1db03cd0f282e1718daf0dc35cf.exe File opened for modification C:\Windows\SysWOW64\wbem\WmiPerfClass\WmiPrvSE.exe d6b8c1db03cd0f282e1718daf0dc35cf.exe File created C:\Windows\SysWOW64\wbem\WmiPerfClass\24dbde2999530ef5fd907494bc374d663924116c d6b8c1db03cd0f282e1718daf0dc35cf.exe File created C:\Windows\SysWOW64\wbem\PS_MMAgent\unsecapp.exe d6b8c1db03cd0f282e1718daf0dc35cf.exe File created C:\Windows\SysWOW64\wbem\PS_MMAgent\29c1c3cc0f76855c7e7456076a4ffc27e4947119 d6b8c1db03cd0f282e1718daf0dc35cf.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3116 set thread context of 4884 3116 d6b8c1db03cd0f282e1718daf0dc35cf.exe 104 PID 1664 set thread context of 768 1664 csrss.exe 144 -
Launches sc.exe 22 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2852 sc.exe 1568 sc.exe 4516 sc.exe 1828 sc.exe 4512 sc.exe 3192 sc.exe 964 sc.exe 4456 sc.exe 4208 sc.exe 2576 sc.exe 4396 sc.exe 772 sc.exe 4500 sc.exe 1692 sc.exe 2220 sc.exe 4960 sc.exe 1780 sc.exe 2596 sc.exe 3664 sc.exe 5008 sc.exe 1444 sc.exe 2272 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1932 schtasks.exe 4544 schtasks.exe 4536 schtasks.exe 4700 schtasks.exe 1444 schtasks.exe 2176 schtasks.exe 3124 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 4876 AdvancedRun.exe 4876 AdvancedRun.exe 4876 AdvancedRun.exe 4876 AdvancedRun.exe 3448 AdvancedRun.exe 3448 AdvancedRun.exe 3448 AdvancedRun.exe 3448 AdvancedRun.exe 2424 powershell.exe 2424 powershell.exe 4884 d6b8c1db03cd0f282e1718daf0dc35cf.exe 4884 d6b8c1db03cd0f282e1718daf0dc35cf.exe 2424 powershell.exe 376 AdvancedRun.exe 376 AdvancedRun.exe 376 AdvancedRun.exe 376 AdvancedRun.exe 2084 powershell.exe 2084 powershell.exe 2084 powershell.exe 768 csrss.exe 768 csrss.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 4876 AdvancedRun.exe Token: SeImpersonatePrivilege 4876 AdvancedRun.exe Token: SeDebugPrivilege 3448 AdvancedRun.exe Token: SeImpersonatePrivilege 3448 AdvancedRun.exe Token: SeDebugPrivilege 3116 d6b8c1db03cd0f282e1718daf0dc35cf.exe Token: SeDebugPrivilege 2424 powershell.exe Token: SeDebugPrivilege 4884 d6b8c1db03cd0f282e1718daf0dc35cf.exe Token: SeDebugPrivilege 376 AdvancedRun.exe Token: SeImpersonatePrivilege 376 AdvancedRun.exe Token: SeDebugPrivilege 1664 csrss.exe Token: SeDebugPrivilege 768 csrss.exe Token: SeDebugPrivilege 2084 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3116 wrote to memory of 4876 3116 d6b8c1db03cd0f282e1718daf0dc35cf.exe 95 PID 3116 wrote to memory of 4876 3116 d6b8c1db03cd0f282e1718daf0dc35cf.exe 95 PID 3116 wrote to memory of 4876 3116 d6b8c1db03cd0f282e1718daf0dc35cf.exe 95 PID 4876 wrote to memory of 3448 4876 AdvancedRun.exe 97 PID 4876 wrote to memory of 3448 4876 AdvancedRun.exe 97 PID 4876 wrote to memory of 3448 4876 AdvancedRun.exe 97 PID 3116 wrote to memory of 2424 3116 d6b8c1db03cd0f282e1718daf0dc35cf.exe 102 PID 3116 wrote to memory of 2424 3116 d6b8c1db03cd0f282e1718daf0dc35cf.exe 102 PID 3116 wrote to memory of 2424 3116 d6b8c1db03cd0f282e1718daf0dc35cf.exe 102 PID 3116 wrote to memory of 4884 3116 d6b8c1db03cd0f282e1718daf0dc35cf.exe 104 PID 3116 wrote to memory of 4884 3116 d6b8c1db03cd0f282e1718daf0dc35cf.exe 104 PID 3116 wrote to memory of 4884 3116 d6b8c1db03cd0f282e1718daf0dc35cf.exe 104 PID 3116 wrote to memory of 4884 3116 d6b8c1db03cd0f282e1718daf0dc35cf.exe 104 PID 3116 wrote to memory of 4884 3116 d6b8c1db03cd0f282e1718daf0dc35cf.exe 104 PID 3116 wrote to memory of 4884 3116 d6b8c1db03cd0f282e1718daf0dc35cf.exe 104 PID 3116 wrote to memory of 4884 3116 d6b8c1db03cd0f282e1718daf0dc35cf.exe 104 PID 3116 wrote to memory of 4884 3116 d6b8c1db03cd0f282e1718daf0dc35cf.exe 104 PID 4884 wrote to memory of 1664 4884 d6b8c1db03cd0f282e1718daf0dc35cf.exe 115 PID 4884 wrote to memory of 1664 4884 d6b8c1db03cd0f282e1718daf0dc35cf.exe 115 PID 4884 wrote to memory of 1664 4884 d6b8c1db03cd0f282e1718daf0dc35cf.exe 115 PID 1664 wrote to memory of 376 1664 csrss.exe 116 PID 1664 wrote to memory of 376 1664 csrss.exe 116 PID 1664 wrote to memory of 376 1664 csrss.exe 116 PID 3116 wrote to memory of 2576 3116 cmd.exe 120 PID 3116 wrote to memory of 2576 3116 cmd.exe 120 PID 3116 wrote to memory of 4396 3116 cmd.exe 121 PID 3116 wrote to memory of 4396 3116 cmd.exe 121 PID 3116 wrote to memory of 772 3116 cmd.exe 122 PID 3116 wrote to memory of 772 3116 cmd.exe 122 PID 3116 wrote to memory of 1828 3116 cmd.exe 123 PID 3116 wrote to memory of 1828 3116 cmd.exe 123 PID 3116 wrote to memory of 4960 3116 cmd.exe 124 PID 3116 wrote to memory of 4960 3116 cmd.exe 124 PID 3116 wrote to memory of 4512 3116 cmd.exe 125 PID 3116 wrote to memory of 4512 3116 cmd.exe 125 PID 3116 wrote to memory of 1780 3116 cmd.exe 126 PID 3116 wrote to memory of 1780 3116 cmd.exe 126 PID 3116 wrote to memory of 2596 3116 cmd.exe 127 PID 3116 wrote to memory of 2596 3116 cmd.exe 127 PID 3116 wrote to memory of 5008 3116 cmd.exe 128 PID 3116 wrote to memory of 5008 3116 cmd.exe 128 PID 3116 wrote to memory of 964 3116 cmd.exe 129 PID 3116 wrote to memory of 964 3116 cmd.exe 129 PID 3116 wrote to memory of 3192 3116 cmd.exe 130 PID 3116 wrote to memory of 3192 3116 cmd.exe 130 PID 3116 wrote to memory of 4456 3116 cmd.exe 131 PID 3116 wrote to memory of 4456 3116 cmd.exe 131 PID 3116 wrote to memory of 2852 3116 cmd.exe 132 PID 3116 wrote to memory of 2852 3116 cmd.exe 132 PID 3116 wrote to memory of 4500 3116 cmd.exe 133 PID 3116 wrote to memory of 4500 3116 cmd.exe 133 PID 3116 wrote to memory of 1568 3116 cmd.exe 134 PID 3116 wrote to memory of 1568 3116 cmd.exe 134 PID 3116 wrote to memory of 1444 3116 cmd.exe 135 PID 3116 wrote to memory of 1444 3116 cmd.exe 135 PID 3116 wrote to memory of 4516 3116 cmd.exe 136 PID 3116 wrote to memory of 4516 3116 cmd.exe 136 PID 3116 wrote to memory of 1692 3116 cmd.exe 137 PID 3116 wrote to memory of 1692 3116 cmd.exe 137 PID 3116 wrote to memory of 4208 3116 cmd.exe 138 PID 3116 wrote to memory of 4208 3116 cmd.exe 138 PID 3116 wrote to memory of 2272 3116 cmd.exe 139 PID 3116 wrote to memory of 2272 3116 cmd.exe 139 PID 3116 wrote to memory of 2220 3116 cmd.exe 140 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6b8c1db03cd0f282e1718daf0dc35cf.exe"C:\Users\Admin\AppData\Local\Temp\d6b8c1db03cd0f282e1718daf0dc35cf.exe"1⤵
- DcRat
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Users\Admin\AppData\Local\Temp\b50e3949-8607-4de2-aa32-39f37bbeb8e9\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\b50e3949-8607-4de2-aa32-39f37bbeb8e9\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\b50e3949-8607-4de2-aa32-39f37bbeb8e9\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Users\Admin\AppData\Local\Temp\b50e3949-8607-4de2-aa32-39f37bbeb8e9\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\b50e3949-8607-4de2-aa32-39f37bbeb8e9\AdvancedRun.exe" /SpecialRun 4101d8 48763⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3448
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\d6b8c1db03cd0f282e1718daf0dc35cf.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
-
C:\Users\Admin\AppData\Local\Temp\d6b8c1db03cd0f282e1718daf0dc35cf.exe"C:\Users\Admin\AppData\Local\Temp\d6b8c1db03cd0f282e1718daf0dc35cf.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Recovery\WindowsRE\csrss.exe"C:\Recovery\WindowsRE\csrss.exe"3⤵
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\7a0de871-a6d2-43c6-95fa-ae0f5b7f73ba\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\7a0de871-a6d2-43c6-95fa-ae0f5b7f73ba\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\7a0de871-a6d2-43c6-95fa-ae0f5b7f73ba\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:376 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7a0de871-a6d2-43c6-95fa-ae0f5b7f73ba\test.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\system32\sc.exesc stop windefend6⤵
- Launches sc.exe
PID:2576
-
-
C:\Windows\system32\sc.exesc config windefend start= disabled6⤵
- Launches sc.exe
PID:4396
-
-
C:\Windows\system32\sc.exesc stop Sense6⤵
- Launches sc.exe
PID:772
-
-
C:\Windows\system32\sc.exesc config Sense start= disabled6⤵
- Launches sc.exe
PID:1828
-
-
C:\Windows\system32\sc.exesc stop wuauserv6⤵
- Launches sc.exe
PID:4960
-
-
C:\Windows\system32\sc.exesc config wuauserv start= disabled6⤵
- Launches sc.exe
PID:4512
-
-
C:\Windows\system32\sc.exesc stop usosvc6⤵
- Launches sc.exe
PID:1780
-
-
C:\Windows\system32\sc.exesc config usosvc start= disabled6⤵
- Launches sc.exe
PID:2596
-
-
C:\Windows\system32\sc.exesc stop WaasMedicSvc6⤵
- Launches sc.exe
PID:5008
-
-
C:\Windows\system32\sc.exesc config WaasMedicSvc start= disabled6⤵
- Launches sc.exe
PID:964
-
-
C:\Windows\system32\sc.exesc stop SecurityHealthService6⤵
- Launches sc.exe
PID:3192
-
-
C:\Windows\system32\sc.exesc config SecurityHealthService start= disabled6⤵
- Launches sc.exe
PID:4456
-
-
C:\Windows\system32\sc.exesc stop SDRSVC6⤵
- Launches sc.exe
PID:2852
-
-
C:\Windows\system32\sc.exesc config SDRSVC start= disabled6⤵
- Launches sc.exe
PID:4500
-
-
C:\Windows\system32\sc.exesc stop wscsvc6⤵
- Launches sc.exe
PID:1568
-
-
C:\Windows\system32\sc.exesc config wscsvc start= disabled6⤵
- Launches sc.exe
PID:1444
-
-
C:\Windows\system32\sc.exesc stop WdiServiceHost6⤵
- Launches sc.exe
PID:4516
-
-
C:\Windows\system32\sc.exesc config WdiServiceHost start= disabled6⤵
- Launches sc.exe
PID:1692
-
-
C:\Windows\system32\sc.exesc stop WdiSystemHost6⤵
- Launches sc.exe
PID:4208
-
-
C:\Windows\system32\sc.exesc config WdiSystemHost start= disabled6⤵
- Launches sc.exe
PID:2272
-
-
C:\Windows\system32\sc.exesc stop InstallService6⤵
- Launches sc.exe
PID:2220
-
-
C:\Windows\system32\sc.exesc config InstallService Start= disabled6⤵
- Launches sc.exe
PID:3664
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Recovery\WindowsRE\csrss.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
-
C:\Recovery\WindowsRE\csrss.exe"C:\Recovery\WindowsRE\csrss.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:768
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\WmiPerfClass\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Documents and Settings\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\PerfLogs\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\System32\wbem\PS_MMAgent\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\PerfLogs\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1444
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
978KB
MD5d6b8c1db03cd0f282e1718daf0dc35cf
SHA133435de2eb5be3e242bc75d3c6722e6e1a9b866c
SHA2567849b02c1912451ca4703361443e161953750e9783ee237985db9cafaff76c04
SHA512fa8bc7754009e447c1a87bd1e8183e5138eb2a637a6a3853f546af48a3564522b634341f2ed09117048f549953010c7fc4d67a72194121e23171f5f3f8746c27
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\d6b8c1db03cd0f282e1718daf0dc35cf.exe.log
Filesize1KB
MD55a0e7ec666b244e87c9100e06b4c7f18
SHA1f42707d84ce725ee7938aaad1a9e834f69060502
SHA2568d9d70ae22db232539a789212bd93286b688956a1cccdc53863686ce955d01df
SHA5120e98b870c5226e67d8043cdcaad27f932bfcf84dcacf5c15dc5d6cf61b954ea8a99d295242f503d6a7bb94997b0e22a7176c9cece60d8fcc0c498a62d5f5a5b8
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD583944332dc622d0a5a06eda2f2928f2e
SHA179fa5210d505d325c7384ef2254e018b362ace29
SHA2562e1563e8dd34d87a63de60641e9727699e366ea9ac006f6e80b64b84bc0280aa
SHA5125dfa84f407bcb9dea434113e58c84f7cfd9898fe23ff41877393c4a14980480acb4dfa4bfab4cc3a074507e3e2a1afa8314795e4c4834a0000d1ebd66f0b1590
-
Filesize
8KB
MD5b2a5ef7d334bdf866113c6f4f9036aae
SHA1f9027f2827b35840487efd04e818121b5a8541e0
SHA25627426aa52448e564b5b9dff2dbe62037992ada8336a8e36560cee7a94930c45e
SHA5128ed39ed39e03fa6d4e49167e8ca4823e47a221294945c141b241cfd1eb7d20314a15608da3fafc3c258ae2cfc535d3e5925b56caceee87acfb7d4831d267189e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
88KB
MD517fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a