dcrat | 2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
21/05/2024, 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe
Size

3.0MB
MD5

7930c72a0629b7d98cae323593175068
SHA1

3b53d631f69d7c1315b66c6c5ea43fc2dfb5d947
SHA256

2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88
SHA512

4053cf95786a933209f4ace73d7ae693816b288c8aa04bff3e2458e29e57d745710aabab70a86ff32ebedff3fe8f1be10c2976a659784de4c896017f0a9e30e8
SSDEEP

49152:AZ2fRPDpkR3/hESpjo4uLDI3KoSPq3cXtFvOUcx3twYvr0G56/FBwzpTZoKh:07ZJ89LDSKrq3iGnnw+1YXw9OK

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2860	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2860	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2860	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2860	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2860	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2860	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2860	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	2860	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2860	schtasks.exe	29

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2924-14-0x0000000000400000-0x0000000000648000-memory.dmp	dcrat
behavioral1/memory/2924-19-0x0000000000400000-0x0000000000648000-memory.dmp	dcrat
behavioral1/memory/2924-23-0x0000000000400000-0x0000000000648000-memory.dmp	dcrat
behavioral1/memory/2924-17-0x0000000000400000-0x0000000000648000-memory.dmp	dcrat
behavioral1/memory/2924-13-0x0000000000400000-0x0000000000648000-memory.dmp	dcrat
behavioral1/memory/1808-156-0x0000000000400000-0x0000000000648000-memory.dmp	dcrat
behavioral1/memory/1808-157-0x0000000000400000-0x0000000000648000-memory.dmp	dcrat
behavioral1/memory/1892-184-0x0000000000400000-0x0000000000648000-memory.dmp	dcrat
behavioral1/memory/1892-183-0x0000000000400000-0x0000000000648000-memory.dmp	dcrat

Detects executables containing bas64 encoded gzip files 9 IoCs

resource	yara_rule
behavioral1/memory/2924-14-0x0000000000400000-0x0000000000648000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
behavioral1/memory/2924-19-0x0000000000400000-0x0000000000648000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
behavioral1/memory/2924-23-0x0000000000400000-0x0000000000648000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
behavioral1/memory/2924-17-0x0000000000400000-0x0000000000648000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
behavioral1/memory/2924-13-0x0000000000400000-0x0000000000648000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
behavioral1/memory/1808-156-0x0000000000400000-0x0000000000648000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
behavioral1/memory/1808-157-0x0000000000400000-0x0000000000648000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
behavioral1/memory/1892-184-0x0000000000400000-0x0000000000648000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
behavioral1/memory/1892-183-0x0000000000400000-0x0000000000648000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File

Detects executables packed with SmartAssembly 3 IoCs

resource	yara_rule
behavioral1/memory/2420-6-0x0000000000430000-0x000000000043A000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/2924-30-0x0000000000850000-0x0000000000860000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/2924-41-0x0000000000FC0000-0x0000000000FCA000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2284	powershell.exe
776	powershell.exe
784	powershell.exe
536	powershell.exe
1756	powershell.exe
2936	powershell.exe
2072	powershell.exe
2488	powershell.exe
2180	powershell.exe
2372	powershell.exe
2772	powershell.exe
2140	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
2796	taskhost.exe
1808	taskhost.exe
2664	taskhost.exe
1892	taskhost.exe

Loads dropped DLL 3 IoCs

pid	Process
712	cmd.exe
712	cmd.exe
2376	WScript.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com
4	ip-api.com

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2420 set thread context of 2924	2420	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	28
PID 2796 set thread context of 1808	2796	taskhost.exe	70
PID 2664 set thread context of 1892	2664	taskhost.exe	74

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\addins\RCXBBC5.tmp	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe
File opened for modification	C:\Windows\addins\RCXBBC6.tmp	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe
File opened for modification	C:\Windows\addins\Idle.exe	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe
File created	C:\Windows\addins\Idle.exe	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe
File created	C:\Windows\addins\6ccacd8608530f	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1412	schtasks.exe
2880	schtasks.exe
2992	schtasks.exe
2008	schtasks.exe
1040	schtasks.exe
2336	schtasks.exe
1764	schtasks.exe
2452	schtasks.exe
2172	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe
2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe
2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe
2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe
2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe
2372	powershell.exe
776	powershell.exe
1756	powershell.exe
2284	powershell.exe
2180	powershell.exe
2140	powershell.exe
784	powershell.exe
2488	powershell.exe
2936	powershell.exe
2072	powershell.exe
536	powershell.exe
2772	powershell.exe
1808	taskhost.exe
1808	taskhost.exe
1808	taskhost.exe
1808	taskhost.exe
1808	taskhost.exe
1892	taskhost.exe
1892	taskhost.exe
1892	taskhost.exe
1892	taskhost.exe
1892	taskhost.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	784	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	1808	taskhost.exe
Token: SeDebugPrivilege	1892	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2924	2420	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	28
PID 2420 wrote to memory of 2924	2420	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	28
PID 2420 wrote to memory of 2924	2420	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	28
PID 2420 wrote to memory of 2924	2420	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	28
PID 2420 wrote to memory of 2924	2420	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	28
PID 2420 wrote to memory of 2924	2420	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	28
PID 2420 wrote to memory of 2924	2420	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	28
PID 2420 wrote to memory of 2924	2420	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	28
PID 2420 wrote to memory of 2924	2420	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	28
PID 2924 wrote to memory of 2072	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	39
PID 2924 wrote to memory of 2072	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	39
PID 2924 wrote to memory of 2072	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	39
PID 2924 wrote to memory of 2072	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	39
PID 2924 wrote to memory of 2488	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	40
PID 2924 wrote to memory of 2488	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	40
PID 2924 wrote to memory of 2488	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	40
PID 2924 wrote to memory of 2488	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	40
PID 2924 wrote to memory of 2284	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	41
PID 2924 wrote to memory of 2284	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	41
PID 2924 wrote to memory of 2284	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	41
PID 2924 wrote to memory of 2284	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	41
PID 2924 wrote to memory of 2140	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	45
PID 2924 wrote to memory of 2140	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	45
PID 2924 wrote to memory of 2140	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	45
PID 2924 wrote to memory of 2140	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	45
PID 2924 wrote to memory of 2180	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	46
PID 2924 wrote to memory of 2180	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	46
PID 2924 wrote to memory of 2180	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	46
PID 2924 wrote to memory of 2180	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	46
PID 2924 wrote to memory of 2772	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	47
PID 2924 wrote to memory of 2772	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	47
PID 2924 wrote to memory of 2772	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	47
PID 2924 wrote to memory of 2772	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	47
PID 2924 wrote to memory of 2372	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	48
PID 2924 wrote to memory of 2372	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	48
PID 2924 wrote to memory of 2372	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	48
PID 2924 wrote to memory of 2372	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	48
PID 2924 wrote to memory of 2936	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	50
PID 2924 wrote to memory of 2936	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	50
PID 2924 wrote to memory of 2936	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	50
PID 2924 wrote to memory of 2936	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	50
PID 2924 wrote to memory of 1756	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	52
PID 2924 wrote to memory of 1756	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	52
PID 2924 wrote to memory of 1756	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	52
PID 2924 wrote to memory of 1756	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	52
PID 2924 wrote to memory of 536	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	53
PID 2924 wrote to memory of 536	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	53
PID 2924 wrote to memory of 536	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	53
PID 2924 wrote to memory of 536	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	53
PID 2924 wrote to memory of 784	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	54
PID 2924 wrote to memory of 784	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	54
PID 2924 wrote to memory of 784	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	54
PID 2924 wrote to memory of 784	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	54
PID 2924 wrote to memory of 776	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	55
PID 2924 wrote to memory of 776	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	55
PID 2924 wrote to memory of 776	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	55
PID 2924 wrote to memory of 776	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	55
PID 2924 wrote to memory of 712	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	59
PID 2924 wrote to memory of 712	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	59
PID 2924 wrote to memory of 712	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	59
PID 2924 wrote to memory of 712	2924	2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe	59
PID 712 wrote to memory of 1456	712	cmd.exe	65
PID 712 wrote to memory of 1456	712	cmd.exe	65
PID 712 wrote to memory of 1456	712	cmd.exe	65

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe
"C:\Users\Admin\AppData\Local\Temp\2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe
  "C:\Users\Admin\AppData\Local\Temp\2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2072
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2488
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2284
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2140
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2180
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2772
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2372
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2936
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1756
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:536
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:784
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:776
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xx1rvPQXwC.bat"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:712
  - - C:\Windows\SysWOW64\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:1456
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:2756
  - - C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\taskhost.exe
      "C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\taskhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:2796
    - - C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\taskhost.exe
        
        "C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\taskhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1808
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6289b2c7-844d-4e57-ac4c-e1dfe9e82ddc.vbs"
        6⤵
        Loads dropped DLL
        
        PID:2376
        
        C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\taskhost.exe
        
        C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\taskhost.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2664
        
        C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\taskhost.exe
        
        "C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\taskhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f803c087-5047-42fc-bd4d-3990ddba645d.vbs"
        9⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\518f5d4e-55b8-4900-8c30-8f5ae567eee8.vbs"
        9⤵
        
        PID:1916
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f6d3ae9-7bc5-4933-868b-b89042333092.vbs"
        6⤵
        
        PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\addins\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\addins\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\addins\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\taskhost.exe

Filesize
3.0MB

MD5
7930c72a0629b7d98cae323593175068

SHA1
3b53d631f69d7c1315b66c6c5ea43fc2dfb5d947

SHA256
2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88

SHA512
4053cf95786a933209f4ace73d7ae693816b288c8aa04bff3e2458e29e57d745710aabab70a86ff32ebedff3fe8f1be10c2976a659784de4c896017f0a9e30e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f6d3ae9-7bc5-4933-868b-b89042333092.vbs

Filesize
513B

MD5
8cde003ba77113afbeccb0193d14df34

SHA1
ac0a09e420bb7c39eb250c948274642eb2a92719

SHA256
3bd721a3bd4af30ad24ea75a0cc88ef6bcd872f3f4f83b52d2aaa024723ec942

SHA512
f0dd52550900f5ea1a1c7ae9b2892613cf49b9c1846c709d7154c5f9822daed5fa6684b67f5c59b4c2396feabd6c8836ba0acb2ef56666b2cd47ff32a762d360

Download Submit
C:\Users\Admin\AppData\Local\Temp\6289b2c7-844d-4e57-ac4c-e1dfe9e82ddc.vbs

Filesize
737B

MD5
f8b90d1968a944682d00a17b67b1f174

SHA1
3a6b13a305e2086395cf9e65927a25129c31f8ea

SHA256
d20b4c6cb05402584efc9e9156d0cf9c5e38d3a34ee9f71bb463c512c0679459

SHA512
03cd489e41bdfe705f58004a8412430677829f9c098338925c11b010c5529cb862b529b7a4a05c140b284e299fc46c2c8358b3e50a090d805ab271cfb96bf875

Download Submit
C:\Users\Admin\AppData\Local\Temp\f803c087-5047-42fc-bd4d-3990ddba645d.vbs

Filesize
737B

MD5
3ddd3958135caa83174e596a524f75aa

SHA1
8f6c4de54a6f2552a1f460280fe87ed2d311150a

SHA256
eed91ae7be0622f5eb742c475e71f71d14d85c71f37e978159a7ff83dbac7f89

SHA512
9ee9d6ed6f81259b8c435e54939fa1407e0997b1d253c441b15241e8750349826d76802df3cff527e36a00e6e81d2dde22ac24e9b411be7b7cbfb06f9064db7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx1rvPQXwC.bat

Filesize
226B

MD5
3a208d4c3b7b162e651def3a28902ef6

SHA1
4c9f844e307b649047fc51dd6f3822a0e5b7ab2a

SHA256
62c32d75d491d31c9397f703b47329af9587bf2e2e0a6ca3dd4efb82f511a63e

SHA512
961d2dd2bfcf7c63fad544547249441a7c83bdd24b4879d8f4e98938eff031cf1e97672e4baedfacfabcbdebad83f2cf12128f6e81143b85ea95360a39d8d85f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
ba46c1b9af4b133c0b6fc79d901440cd

SHA1
e7d24d2d6b928b8acdc708097bc2d7c6b0a8e1bc

SHA256
17fe71d89b16cf0b091e3e8eaeb3a06c99501295e85a945fcc6b607d15f5a1fa

SHA512
50eff66d987c48d7ac9bd8bce1716d8f21956cb23ac5b7e379511b1410b2c06da91b4b5a59f1aa77f06f80e52248afb81f854a355f1d328ab64c019d17306d89

Download Submit
memory/1808-156-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/1808-157-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/1808-153-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1808-158-0x0000000004C60000-0x0000000004CB6000-memory.dmp

Filesize
344KB

Download
memory/1892-183-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/1892-184-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/2420-24-0x0000000074D40000-0x000000007542E000-memory.dmp

Filesize
6.9MB

Download
memory/2420-5-0x0000000074D40000-0x000000007542E000-memory.dmp

Filesize
6.9MB

Download
memory/2420-0-0x0000000074D4E000-0x0000000074D4F000-memory.dmp

Filesize
4KB

Download
memory/2420-1-0x0000000001150000-0x0000000001460000-memory.dmp

Filesize
3.1MB

Download
memory/2420-8-0x0000000009C70000-0x0000000009EE4000-memory.dmp

Filesize
2.5MB

Download
memory/2420-7-0x00000000099F0000-0x0000000009C6A000-memory.dmp

Filesize
2.5MB

Download
memory/2420-6-0x0000000000430000-0x000000000043A000-memory.dmp

Filesize
40KB

Download
memory/2420-2-0x0000000074D40000-0x000000007542E000-memory.dmp

Filesize
6.9MB

Download
memory/2420-4-0x0000000074D4E000-0x0000000074D4F000-memory.dmp

Filesize
4KB

Download
memory/2420-3-0x0000000000410000-0x0000000000426000-memory.dmp

Filesize
88KB

Download
memory/2664-170-0x00000000010F0000-0x0000000001400000-memory.dmp

Filesize
3.1MB

Download
memory/2664-171-0x00000000005B0000-0x00000000005C6000-memory.dmp

Filesize
88KB

Download
memory/2796-144-0x0000000000460000-0x0000000000476000-memory.dmp

Filesize
88KB

Download
memory/2796-143-0x00000000010F0000-0x0000000001400000-memory.dmp

Filesize
3.1MB

Download
memory/2924-17-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/2924-31-0x0000000000CD0000-0x0000000000CE6000-memory.dmp

Filesize
88KB

Download
memory/2924-34-0x0000000001100000-0x0000000001156000-memory.dmp

Filesize
344KB

Download
memory/2924-35-0x0000000000D60000-0x0000000000D6C000-memory.dmp

Filesize
48KB

Download
memory/2924-36-0x0000000000DB0000-0x0000000000DB8000-memory.dmp

Filesize
32KB

Download
memory/2924-37-0x0000000000DC0000-0x0000000000DCC000-memory.dmp

Filesize
48KB

Download
memory/2924-38-0x0000000000EF0000-0x0000000000EF8000-memory.dmp

Filesize
32KB

Download
memory/2924-39-0x0000000000F00000-0x0000000000F12000-memory.dmp

Filesize
72KB

Download
memory/2924-40-0x0000000000F60000-0x0000000000F6C000-memory.dmp

Filesize
48KB

Download
memory/2924-41-0x0000000000FC0000-0x0000000000FCA000-memory.dmp

Filesize
40KB

Download
memory/2924-42-0x0000000001010000-0x000000000101E000-memory.dmp

Filesize
56KB

Download
memory/2924-43-0x0000000001060000-0x0000000001068000-memory.dmp

Filesize
32KB

Download
memory/2924-45-0x0000000004980000-0x000000000498C000-memory.dmp

Filesize
48KB

Download
memory/2924-44-0x00000000010B0000-0x00000000010B8000-memory.dmp

Filesize
32KB

Download
memory/2924-33-0x0000000000D00000-0x0000000000D0C000-memory.dmp

Filesize
48KB

Download
memory/2924-32-0x0000000000CA0000-0x0000000000CA8000-memory.dmp

Filesize
32KB

Download
memory/2924-122-0x0000000074D40000-0x000000007542E000-memory.dmp

Filesize
6.9MB

Download
memory/2924-30-0x0000000000850000-0x0000000000860000-memory.dmp

Filesize
64KB

Download
memory/2924-29-0x0000000000840000-0x0000000000848000-memory.dmp

Filesize
32KB

Download
memory/2924-28-0x0000000000820000-0x000000000083C000-memory.dmp

Filesize
112KB

Download
memory/2924-27-0x0000000074D40000-0x000000007542E000-memory.dmp

Filesize
6.9MB

Download
memory/2924-26-0x0000000000380000-0x000000000038E000-memory.dmp

Filesize
56KB

Download
memory/2924-25-0x0000000074D40000-0x000000007542E000-memory.dmp

Filesize
6.9MB

Download
memory/2924-11-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/2924-13-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/2924-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2924-23-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/2924-22-0x0000000074D40000-0x000000007542E000-memory.dmp

Filesize
6.9MB

Download
memory/2924-19-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/2924-14-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/2924-9-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download