dcrat | 16771b819b03044356bad5b6d2a6b0f84e7fbd94c336743b58bbe5dc2e2ccbe8

Analysis

max time kernel
536s
max time network
597s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
11-05-2024 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ebabb8b4bb51cf.exe
Size

8.1MB
MD5

9ae6eccd4947fa65016152db60a1e9c4
SHA1

ac6693c8fc03c286c93860e0c13474151c2f1557
SHA256

16771b819b03044356bad5b6d2a6b0f84e7fbd94c336743b58bbe5dc2e2ccbe8
SHA512

11974385658bd5a20819cf859c7058198f61fbad1566ddbd9788806097b559434ba8cd12a59ea82dd86e3c8a225571d3b2cac3a97514c20cdbe49f6a0423adf8
SSDEEP

49152:Evqgk7XySAxNIQcmwYEhwUdKTMcZONvPUMPbANZ9B0hKuSZDidHutYPibit:Phzt

Score

10^/10

dcrat umbral evasion execution infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat 55 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

pid	Process
2216	schtasks.exe
1872	schtasks.exe
5004	schtasks.exe
3760	schtasks.exe
1496	schtasks.exe
4780	schtasks.exe
1528	schtasks.exe
4976	schtasks.exe
3988	schtasks.exe
2884	schtasks.exe
2340	schtasks.exe
2784	schtasks.exe
3672	schtasks.exe
3736	schtasks.exe
3028	schtasks.exe
1708	schtasks.exe
4120	schtasks.exe
1108	schtasks.exe
1404	schtasks.exe
1208	schtasks.exe
2772	schtasks.exe
2400	attrib.exe
1448	schtasks.exe
3004	schtasks.exe
3588	schtasks.exe
4656	schtasks.exe
4184	schtasks.exe
2472	schtasks.exe
3116	schtasks.exe
3340	schtasks.exe
2352	schtasks.exe
3076	schtasks.exe
884	schtasks.exe
252	schtasks.exe
2312	schtasks.exe
3368	schtasks.exe
1796	schtasks.exe
2912	schtasks.exe
3740	schtasks.exe
3944	schtasks.exe
1036	schtasks.exe
3604	schtasks.exe
1336	schtasks.exe
2424	schtasks.exe
3704	schtasks.exe
2976	schtasks.exe
3140	schtasks.exe
4844	schtasks.exe
3612	schtasks.exe
1392	schtasks.exe
4572	schtasks.exe
2992	schtasks.exe
2116	schtasks.exe
3344	schtasks.exe
1944	schtasks.exe

Detect Umbral payload 3 IoCs

resource	yara_rule
behavioral1/memory/4956-5-0x0000000000400000-0x000000000060E000-memory.dmp	family_umbral
behavioral1/files/0x000100000002aa2e-22.dat	family_umbral
behavioral1/memory/996-31-0x0000020DF6390000-0x0000020DF63D0000-memory.dmp	family_umbral

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3672	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3760	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3740	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3944	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3612	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3340	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3604	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3368	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3704	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4184	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3344	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	252	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3076	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3736	1076	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3140	1076	schtasks.exe	98

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	savesref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	savesref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	savesref.exe

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/4956-5-0x0000000000400000-0x000000000060E000-memory.dmp	dcrat
behavioral1/files/0x000100000002aa2d-16.dat	dcrat
behavioral1/files/0x000100000002aa34-108.dat	dcrat
behavioral1/memory/1128-110-0x00000000008C0000-0x0000000000A4C000-memory.dmp	dcrat
behavioral1/files/0x000200000002aa6d-187.dat	dcrat
behavioral1/files/0x000c00000002aa2e-289.dat	dcrat
behavioral1/files/0x000200000002aa50-357.dat	dcrat
behavioral1/memory/4128-359-0x0000000000E30000-0x0000000000FBC000-memory.dmp	dcrat
behavioral1/files/0x000200000002aa4d-362.dat	dcrat
behavioral1/memory/1096-364-0x00000000007E0000-0x000000000096C000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3760	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	explorer.exe

Executes dropped EXE 8 IoCs

pid	Process
1428	svchost.exe
996	explorer.exe
1128	savesref.exe
344	sppsvc.exe
4848	unsecapp.exe
4128	winlogon.exe
1096	wininit.exe
4628	services.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	savesref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	savesref.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	discord.com
4	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5080 set thread context of 4956	5080	7ebabb8b4bb51cf.exe	81

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\5940a34987c991	savesref.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\RCXB0BD.tmp	savesref.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\RCXB340.tmp	savesref.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXB545.tmp	savesref.exe
File created	C:\Program Files\7-Zip\wininit.exe	savesref.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCXA1BD.tmp	savesref.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\RCXB0BE.tmp	savesref.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\RCXB33F.tmp	savesref.exe
File opened for modification	C:\Program Files\7-Zip\RCXA43F.tmp	savesref.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\RCXAE3A.tmp	savesref.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\5940a34987c991	savesref.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\OfficeClickToRun.exe	savesref.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\29c1c3cc0f7685	savesref.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\System.exe	savesref.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\RCX9B8D.tmp	savesref.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\dllhost.exe	savesref.exe
File opened for modification	C:\Program Files\7-Zip\RCXA4AD.tmp	savesref.exe
File opened for modification	C:\Program Files\7-Zip\wininit.exe	savesref.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\dllhost.exe	savesref.exe
File created	C:\Program Files (x86)\Google\Update\Registry.exe	savesref.exe
File created	C:\Program Files\7-Zip\56085415360792	savesref.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\dllhost.exe	savesref.exe
File created	C:\Program Files (x86)\Google\Update\ee2ad38f3d4382	savesref.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\System.exe	savesref.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\unsecapp.exe	savesref.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\RCXAE3B.tmp	savesref.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\e6c9b481da804f	savesref.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\27d1bcfc3c54e0	savesref.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\OfficeClickToRun.exe	savesref.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\dllhost.exe	savesref.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\unsecapp.exe	savesref.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\RCX9B8C.tmp	savesref.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCXA1BC.tmp	savesref.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Registry.exe	savesref.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXB546.tmp	savesref.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\RCX9707.tmp	savesref.exe
File opened for modification	C:\Windows\assembly\dllhost.exe	savesref.exe
File opened for modification	C:\Windows\IdentityCRL\INT\RCX9DA2.tmp	savesref.exe
File created	C:\Windows\assembly\dllhost.exe	savesref.exe
File created	C:\Windows\IdentityCRL\INT\55b276f4edf653	savesref.exe
File created	C:\Windows\System\Speech\RuntimeBroker.exe	savesref.exe
File opened for modification	C:\Windows\assembly\RCX9689.tmp	savesref.exe
File opened for modification	C:\Windows\IdentityCRL\INT\RCX9DA3.tmp	savesref.exe
File opened for modification	C:\Windows\IdentityCRL\INT\StartMenuExperienceHost.exe	savesref.exe
File created	C:\Windows\assembly\5940a34987c991	savesref.exe
File created	C:\Windows\IdentityCRL\INT\StartMenuExperienceHost.exe	savesref.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4184	schtasks.exe
2912	schtasks.exe
2340	schtasks.exe
4976	schtasks.exe
3704	schtasks.exe
1872	schtasks.exe
2312	schtasks.exe
3760	schtasks.exe
3588	schtasks.exe
4844	schtasks.exe
3944	schtasks.exe
2352	schtasks.exe
1796	schtasks.exe
2884	schtasks.exe
1336	schtasks.exe
2424	schtasks.exe
3368	schtasks.exe
3344	schtasks.exe
884	schtasks.exe
2472	schtasks.exe
1528	schtasks.exe
3612	schtasks.exe
1708	schtasks.exe
3340	schtasks.exe
4120	schtasks.exe
3004	schtasks.exe
1208	schtasks.exe
4572	schtasks.exe
3116	schtasks.exe
1036	schtasks.exe
3672	schtasks.exe
5004	schtasks.exe
2784	schtasks.exe
1496	schtasks.exe
3028	schtasks.exe
2116	schtasks.exe
1392	schtasks.exe
3076	schtasks.exe
2772	schtasks.exe
2992	schtasks.exe
1448	schtasks.exe
3988	schtasks.exe
3604	schtasks.exe
2216	schtasks.exe
252	schtasks.exe
1108	schtasks.exe
1944	schtasks.exe
1404	schtasks.exe
3740	schtasks.exe
4656	schtasks.exe
2976	schtasks.exe
3140	schtasks.exe
4780	schtasks.exe
3736	schtasks.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1756	wmic.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings	savesref.exe
Key created	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings	svchost.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3304	PING.EXE

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
3760	powershell.exe
3760	powershell.exe
4312	powershell.exe
4312	powershell.exe
4320	powershell.exe
4320	powershell.exe
3536	powershell.exe
3536	powershell.exe
1128	savesref.exe
1128	savesref.exe
1128	savesref.exe
1128	savesref.exe
1128	savesref.exe
1128	savesref.exe
1128	savesref.exe
1128	savesref.exe
1128	savesref.exe
1128	savesref.exe
1128	savesref.exe
344	sppsvc.exe
344	sppsvc.exe
344	sppsvc.exe
344	sppsvc.exe
344	sppsvc.exe
344	sppsvc.exe
344	sppsvc.exe
344	sppsvc.exe
344	sppsvc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
344	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5080	7ebabb8b4bb51cf.exe
Token: SeDebugPrivilege	996	explorer.exe
Token: SeDebugPrivilege	3760	powershell.exe
Token: SeDebugPrivilege	4312	powershell.exe
Token: SeDebugPrivilege	4320	powershell.exe
Token: SeDebugPrivilege	3536	powershell.exe
Token: SeIncreaseQuotaPrivilege	676	wmic.exe
Token: SeSecurityPrivilege	676	wmic.exe
Token: SeTakeOwnershipPrivilege	676	wmic.exe
Token: SeLoadDriverPrivilege	676	wmic.exe
Token: SeSystemProfilePrivilege	676	wmic.exe
Token: SeSystemtimePrivilege	676	wmic.exe
Token: SeProfSingleProcessPrivilege	676	wmic.exe
Token: SeIncBasePriorityPrivilege	676	wmic.exe
Token: SeCreatePagefilePrivilege	676	wmic.exe
Token: SeBackupPrivilege	676	wmic.exe
Token: SeRestorePrivilege	676	wmic.exe
Token: SeShutdownPrivilege	676	wmic.exe
Token: SeDebugPrivilege	676	wmic.exe
Token: SeSystemEnvironmentPrivilege	676	wmic.exe
Token: SeRemoteShutdownPrivilege	676	wmic.exe
Token: SeUndockPrivilege	676	wmic.exe
Token: SeManageVolumePrivilege	676	wmic.exe
Token: 33	676	wmic.exe
Token: 34	676	wmic.exe
Token: 35	676	wmic.exe
Token: 36	676	wmic.exe
Token: SeIncreaseQuotaPrivilege	676	wmic.exe
Token: SeSecurityPrivilege	676	wmic.exe
Token: SeTakeOwnershipPrivilege	676	wmic.exe
Token: SeLoadDriverPrivilege	676	wmic.exe
Token: SeSystemProfilePrivilege	676	wmic.exe
Token: SeSystemtimePrivilege	676	wmic.exe
Token: SeProfSingleProcessPrivilege	676	wmic.exe
Token: SeIncBasePriorityPrivilege	676	wmic.exe
Token: SeCreatePagefilePrivilege	676	wmic.exe
Token: SeBackupPrivilege	676	wmic.exe
Token: SeRestorePrivilege	676	wmic.exe
Token: SeShutdownPrivilege	676	wmic.exe
Token: SeDebugPrivilege	676	wmic.exe
Token: SeSystemEnvironmentPrivilege	676	wmic.exe
Token: SeRemoteShutdownPrivilege	676	wmic.exe
Token: SeUndockPrivilege	676	wmic.exe
Token: SeManageVolumePrivilege	676	wmic.exe
Token: 33	676	wmic.exe
Token: 34	676	wmic.exe
Token: 35	676	wmic.exe
Token: 36	676	wmic.exe
Token: SeIncreaseQuotaPrivilege	4180	wmic.exe
Token: SeSecurityPrivilege	4180	wmic.exe
Token: SeTakeOwnershipPrivilege	4180	wmic.exe
Token: SeLoadDriverPrivilege	4180	wmic.exe
Token: SeSystemProfilePrivilege	4180	wmic.exe
Token: SeSystemtimePrivilege	4180	wmic.exe
Token: SeProfSingleProcessPrivilege	4180	wmic.exe
Token: SeIncBasePriorityPrivilege	4180	wmic.exe
Token: SeCreatePagefilePrivilege	4180	wmic.exe
Token: SeBackupPrivilege	4180	wmic.exe
Token: SeRestorePrivilege	4180	wmic.exe
Token: SeShutdownPrivilege	4180	wmic.exe
Token: SeDebugPrivilege	4180	wmic.exe
Token: SeSystemEnvironmentPrivilege	4180	wmic.exe
Token: SeRemoteShutdownPrivilege	4180	wmic.exe
Token: SeUndockPrivilege	4180	wmic.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 4956	5080	7ebabb8b4bb51cf.exe	81
PID 5080 wrote to memory of 4956	5080	7ebabb8b4bb51cf.exe	81
PID 5080 wrote to memory of 4956	5080	7ebabb8b4bb51cf.exe	81
PID 5080 wrote to memory of 4956	5080	7ebabb8b4bb51cf.exe	81
PID 5080 wrote to memory of 4956	5080	7ebabb8b4bb51cf.exe	81
PID 5080 wrote to memory of 4956	5080	7ebabb8b4bb51cf.exe	81
PID 5080 wrote to memory of 4956	5080	7ebabb8b4bb51cf.exe	81
PID 5080 wrote to memory of 4956	5080	7ebabb8b4bb51cf.exe	81
PID 5080 wrote to memory of 4956	5080	7ebabb8b4bb51cf.exe	81
PID 4956 wrote to memory of 1428	4956	RegAsm.exe	82
PID 4956 wrote to memory of 1428	4956	RegAsm.exe	82
PID 4956 wrote to memory of 1428	4956	RegAsm.exe	82
PID 4956 wrote to memory of 996	4956	RegAsm.exe	83
PID 4956 wrote to memory of 996	4956	RegAsm.exe	83
PID 1428 wrote to memory of 1520	1428	svchost.exe	85
PID 1428 wrote to memory of 1520	1428	svchost.exe	85
PID 1428 wrote to memory of 1520	1428	svchost.exe	85
PID 996 wrote to memory of 2400	996	explorer.exe	86
PID 996 wrote to memory of 2400	996	explorer.exe	86
PID 996 wrote to memory of 3760	996	explorer.exe	88
PID 996 wrote to memory of 3760	996	explorer.exe	88
PID 996 wrote to memory of 4312	996	explorer.exe	90
PID 996 wrote to memory of 4312	996	explorer.exe	90
PID 996 wrote to memory of 4320	996	explorer.exe	92
PID 996 wrote to memory of 4320	996	explorer.exe	92
PID 996 wrote to memory of 3536	996	explorer.exe	94
PID 996 wrote to memory of 3536	996	explorer.exe	94
PID 996 wrote to memory of 676	996	explorer.exe	96
PID 996 wrote to memory of 676	996	explorer.exe	96
PID 996 wrote to memory of 4180	996	explorer.exe	99
PID 996 wrote to memory of 4180	996	explorer.exe	99
PID 996 wrote to memory of 4436	996	explorer.exe	101
PID 996 wrote to memory of 4436	996	explorer.exe	101
PID 996 wrote to memory of 3628	996	explorer.exe	103
PID 996 wrote to memory of 3628	996	explorer.exe	103
PID 996 wrote to memory of 1756	996	explorer.exe	105
PID 996 wrote to memory of 1756	996	explorer.exe	105
PID 1520 wrote to memory of 4892	1520	WScript.exe	107
PID 1520 wrote to memory of 4892	1520	WScript.exe	107
PID 1520 wrote to memory of 4892	1520	WScript.exe	107
PID 4892 wrote to memory of 1128	4892	cmd.exe	109
PID 4892 wrote to memory of 1128	4892	cmd.exe	109
PID 996 wrote to memory of 1140	996	explorer.exe	126
PID 996 wrote to memory of 1140	996	explorer.exe	126
PID 1140 wrote to memory of 3304	1140	cmd.exe	128
PID 1140 wrote to memory of 3304	1140	cmd.exe	128
PID 1128 wrote to memory of 3604	1128	savesref.exe	167
PID 1128 wrote to memory of 3604	1128	savesref.exe	167
PID 3604 wrote to memory of 4092	3604	cmd.exe	169
PID 3604 wrote to memory of 4092	3604	cmd.exe	169
PID 3604 wrote to memory of 344	3604	cmd.exe	170
PID 3604 wrote to memory of 344	3604	cmd.exe	170

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	savesref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	savesref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	savesref.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2400	attrib.exe

C:\Users\Admin\AppData\Local\Temp\7ebabb8b4bb51cf.exe
"C:\Users\Admin\AppData\Local\Temp\7ebabb8b4bb51cf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1428
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\discord\KVGHJrchTtXZ1.vbe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1520
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\discord\91XI5GEPShJXCgG0eVHRJ.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4892
      - C:\Users\Admin\AppData\Roaming\discord\savesref.exe
        
        "C:\Users\Admin\AppData\Roaming\discord\savesref.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OyPGkKXBTT.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:4092
        
        C:\Users\Default User\sppsvc.exe
        
        "C:\Users\Default User\sppsvc.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        System policy modification
        
        PID:344
- - C:\Users\Admin\AppData\Local\Temp\explorer.exe
    "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:996
  - - C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
      4⤵
      DcRat
      Views/modifies file attributes
      PID:2400
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\explorer.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3760
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4312
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4320
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3536
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:676
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4180
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:4436
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      PID:3628
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1756
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\explorer.exe" && pause
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1140
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        Runs ping.exe
        
        PID:3304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\assembly\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\assembly\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\assembly\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\SIGNUP\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\SIGNUP\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\SIGNUP\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Windows\IdentityCRL\INT\StartMenuExperienceHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\INT\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Windows\IdentityCRL\INT\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Update\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Update\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\7-Zip\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\Configuration\OfficeClickToRun.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files\WindowsPowerShell\Configuration\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\Accessories\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\unsecapp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3140

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2368

C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\unsecapp.exe
"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\unsecapp.exe"
1⤵
- Executes dropped EXE
PID:4848

C:\Recovery\WindowsRE\winlogon.exe
C:\Recovery\WindowsRE\winlogon.exe
1⤵
- Executes dropped EXE
PID:4128

C:\Program Files\7-Zip\wininit.exe
"C:\Program Files\7-Zip\wininit.exe"
1⤵
- Executes dropped EXE
PID:1096

C:\Recovery\WindowsRE\services.exe
C:\Recovery\WindowsRE\services.exe
1⤵
- Executes dropped EXE
PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\wininit.exe

Filesize
1.5MB

MD5
ce522ce69d9c4ab6f1d6ef48085242ed

SHA1
7f9f9c0edd22473dd3a8ab3a7980199e2ac518a8

SHA256
cc3f1dffb690497b6b8c9d819458ec681da9d91e8e7d0f471aca44aa6337c220

SHA512
72b6417bc90c3eb31700f3072b0267aa465a729025bf7c60a27f8ea5f3a555707aac9044e0a2c2ec04fb4516d2079e646c7474759cab7eefb6a83b8f79b70008

Download Submit
C:\Recovery\WindowsRE\RCX9281.tmp

Filesize
1.5MB

MD5
bf164fec3cd078761a70462be31050fb

SHA1
48ebbb45426cbe2056e5f0bca1bd03e06ddfa5a2

SHA256
1d547dd97ae48345cae40c0a76258b3efa12dd8e9ea689f3d022e482584aa173

SHA512
fc4dbc0aa8d172b2b6c706e778acf5e49a5fc4c1c1fa763bd01a6d4332f1731ae5a87bfb500027067c3bb1b7508326c81b0462c08667b2b7a68bdc1ec38e748b

Download Submit
C:\Recovery\WindowsRE\RCXAC15.tmp

Filesize
1.5MB

MD5
be84958ddbb233e67cb3e095cf9491b1

SHA1
f50bb881559c23507e32a133e49d9d40da1e206d

SHA256
a7623e6e6051ac6f89605d7c439496756192e8f80e2972b26c57634a766dc684

SHA512
8f75ab42dba28f5bc7d370f366e34aa7d971f24327efaf49118f218b8828a837f28df29eeb06156f9024c84a804bb7cc606947bb8b0edde977fd7d1daabd6ae1

Download Submit
C:\Recovery\WindowsRE\winlogon.exe

Filesize
1.5MB

MD5
b9a64ec3d28e0716e7c6fc04abb9bd34

SHA1
73aaac64f0e66acc744a4a2f17b040a41c82330b

SHA256
c7c30b1d67f4d3fa9e78b7f2421ef44da1d3a6b1f19c01aef0e6c9f099a30563

SHA512
aaddbab6a9dff5f91cb56211c5c2f94e4b406435abc7afdeb3b9b9f0725aa3d8d659a9ba41c032a1327a788033d4d6c5584f3fd8b6db0a7ac4f6a5369a60ffc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
711b161528f4959c4b7463036c7324ec

SHA1
53b30cc796c0dfe0cd4c4406202a19139cb5407d

SHA256
7c077fb04d4911778ab648b657b43c9b464393d734dc7fa029ee0f085c6a5638

SHA512
565d0e3e229894de91ad37a16c261bf380e983ffda750f32e8ad361c0606c62043a0188f45d252fecabc6438bc9e7b2c424b101073162ba9633bacd03b42af9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
57083a8e45ebe4fd84c7c0f137ec3e21

SHA1
857b5ea57f7bcf03cadee122106c6e58792a9b84

SHA256
f20102c4dc409cad3cdaf7a330c3a18a730a9d7d902b9fbee2a84186cba93d40

SHA512
4bbc21c07c05ee1f783242f0fb59324d5ff9ae18bdf892f02980d582fed83380888eeba58e1a6a321507cfd5d4fe82a328a0d3482b29633be4e3ebbeac636f87

Download Submit
C:\Users\Admin\AppData\Local\Temp\OyPGkKXBTT.bat

Filesize
197B

MD5
63c0e65922b207230a0b06480ca4b12a

SHA1
3af1c69f46048268d5ee727c8d05c15fe7684594

SHA256
16092e13880764ac793bccb98710afe46e89a3ce4b666075cc29e1e9c74ca432

SHA512
22ee6a7cca9868c6502eefa5a0d275d77b3e9309db1c91e36f2a284da843ac8d3fe621ff1bf999e2634cfdad535f4eb63f2b9c9b3afa4ece8058d74c069acbd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rxu2ooow.xk0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
231KB

MD5
5a006cd74e0225a15746bee6928d62f1

SHA1
a17dabdb634d9667c3590436998252148a5fab92

SHA256
0350fdb32852f781665e056a04f318e94c746612f7b4e3cd430d808c894aae4c

SHA512
59d6b467cf48cf1aafaf13e1acfdd6ae4806403f0bc92e759590b04da4ecd719488300ecd412d92931e7b65daf0ab2229d7a165b31595334676b40942bb30f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
1.8MB

MD5
45008c4cc3fc25a5d5184742ae2fe72b

SHA1
f5e7b3110df6917df0e07a822c313c52eec335fd

SHA256
09d240d54a5458bcc9362ea0f06e23a345b69e196e127462d5f33e8a475ccd57

SHA512
3059e4e59cb103f08fd13f776bf65d41b4cfec7a7f6610a2c945e134d4b913185f64bdf357bbc3c52e26da77f9e04a19c121611ad11fb40bf486aade1751e335

Download Submit
C:\Users\Admin\AppData\Roaming\discord\91XI5GEPShJXCgG0eVHRJ.bat

Filesize
32B

MD5
84814a18997996f8a95ba8e868396e90

SHA1
30b79b2158d922433ba25117fb79f8720470fb44

SHA256
92c8ccb6b3a9abc0798ad760255c47356c3750a74b11e38590876c68927f3797

SHA512
b1b820e12c49fe4993229222a218a769e5d6913f303d382baaff735f3b24a5b068adcfb344397004dd9d7aa637c4e9baedf2e3ca3dfb3f56e86c8c8f8cf9cf7e

Download Submit
C:\Users\Admin\AppData\Roaming\discord\KVGHJrchTtXZ1.vbe

Filesize
212B

MD5
cdb5dc99d1017d58fdbfce66f048da76

SHA1
e1903f365d81996da9810b9f0dc40bc65b3324c7

SHA256
bd9e0e5f3e6379d03907896d71843cc2dbfef7e209cc0896b4755fa0422a3b43

SHA512
72e3e2f3b5f385c402faf7ac89690a99806f648f90e85f46b01db66284f247c10dbe03e612e41c46775cd29fecaeede2fd26bc8dc2e22e252f9f1ce9b801f88d

Download Submit
C:\Users\Admin\AppData\Roaming\discord\savesref.exe

Filesize
1.5MB

MD5
0a32536cc1d5e2a35d7d289b4ff0e76b

SHA1
98736b0b5a6f3709f81365c9e6477819074c3170

SHA256
8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710

SHA512
b2d5d91eb7ecfc6eb295c63ecba5c3ceb4b4a865fc9a9f90bd1e82bff4bc39905baf9ab2962580ee708761632e5499694f3f823aa2f139bce809398262eb3b73

Download Submit
memory/996-101-0x0000020DF8890000-0x0000020DF889A000-memory.dmp

Filesize
40KB

Download
memory/996-102-0x0000020DF88C0000-0x0000020DF88D2000-memory.dmp

Filesize
72KB

Download
memory/996-31-0x0000020DF6390000-0x0000020DF63D0000-memory.dmp

Filesize
256KB

Download
memory/996-65-0x0000020DF8BC0000-0x0000020DF8C36000-memory.dmp

Filesize
472KB

Download
memory/996-66-0x0000020DF8B40000-0x0000020DF8B90000-memory.dmp

Filesize
320KB

Download
memory/996-67-0x0000020DF8B90000-0x0000020DF8BAE000-memory.dmp

Filesize
120KB

Download
memory/1096-364-0x00000000007E0000-0x000000000096C000-memory.dmp

Filesize
1.5MB

Download
memory/1128-122-0x000000001B790000-0x000000001B79C000-memory.dmp

Filesize
48KB

Download
memory/1128-119-0x000000001B760000-0x000000001B768000-memory.dmp

Filesize
32KB

Download
memory/1128-121-0x000000001B780000-0x000000001B78A000-memory.dmp

Filesize
40KB

Download
memory/1128-120-0x000000001B770000-0x000000001B77C000-memory.dmp

Filesize
48KB

Download
memory/1128-118-0x000000001B740000-0x000000001B748000-memory.dmp

Filesize
32KB

Download
memory/1128-117-0x000000001B730000-0x000000001B73C000-memory.dmp

Filesize
48KB

Download
memory/1128-110-0x00000000008C0000-0x0000000000A4C000-memory.dmp

Filesize
1.5MB

Download
memory/1128-111-0x0000000002BD0000-0x0000000002BEC000-memory.dmp

Filesize
112KB

Download
memory/1128-113-0x000000001B6F0000-0x000000001B706000-memory.dmp

Filesize
88KB

Download
memory/1128-112-0x0000000002BF0000-0x0000000002C00000-memory.dmp

Filesize
64KB

Download
memory/1128-114-0x0000000002C00000-0x0000000002C10000-memory.dmp

Filesize
64KB

Download
memory/1128-115-0x000000001B710000-0x000000001B71A000-memory.dmp

Filesize
40KB

Download
memory/1128-116-0x000000001B720000-0x000000001B728000-memory.dmp

Filesize
32KB

Download
memory/3760-46-0x000002B5F9DC0000-0x000002B5F9DE2000-memory.dmp

Filesize
136KB

Download
memory/4128-359-0x0000000000E30000-0x0000000000FBC000-memory.dmp

Filesize
1.5MB

Download
memory/4956-5-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download
memory/4956-12-0x0000000074D00000-0x00000000754B1000-memory.dmp

Filesize
7.7MB

Download
memory/4956-9-0x0000000005750000-0x00000000057EC000-memory.dmp

Filesize
624KB

Download
memory/4956-8-0x0000000074D00000-0x00000000754B1000-memory.dmp

Filesize
7.7MB

Download
memory/4956-38-0x0000000074D00000-0x00000000754B1000-memory.dmp

Filesize
7.7MB

Download
memory/5080-0-0x0000000074D0E000-0x0000000074D0F000-memory.dmp

Filesize
4KB

Download
memory/5080-7-0x0000000074D00000-0x00000000754B1000-memory.dmp

Filesize
7.7MB

Download
memory/5080-4-0x0000000007AB0000-0x0000000007AB8000-memory.dmp

Filesize
32KB

Download
memory/5080-3-0x0000000005F40000-0x0000000005F50000-memory.dmp

Filesize
64KB

Download
memory/5080-2-0x0000000074D00000-0x00000000754B1000-memory.dmp

Filesize
7.7MB

Download
memory/5080-1-0x0000000000CA0000-0x00000000014CA000-memory.dmp

Filesize
8.2MB

Download