dcrat | 9a3b444bd26b5b3e29f8328ded81bb66db55f45dfba063c4772ddeae9b82d3c3

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 22:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d83eeb76d1dd2ff2b4786506b0a10b10N.exe
Size

1.3MB
MD5

d83eeb76d1dd2ff2b4786506b0a10b10
SHA1

d7dab29809264a786ea3f8f8988d7ab22e02b754
SHA256

9a3b444bd26b5b3e29f8328ded81bb66db55f45dfba063c4772ddeae9b82d3c3
SHA512

45e606414c5cbc8057288299e285a6c09e8bf74894cc1d40e97f2b8df4d4305705c27e7d21f5023e9de1e100ea01b95ed51a5532d636bcea08a4ee172252360f
SSDEEP

24576:BgYeYeZ3mh8EZ+pygc78oigPVf1US2SCLW+4:BeYz+pd7ZxNF

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 15 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		3232	schtasks.exe
		3984	schtasks.exe
		2672	schtasks.exe
		4396	schtasks.exe
		3520	schtasks.exe
		3400	schtasks.exe
		4264	schtasks.exe
File created	C:\Windows\System32\credprovhost\SppExtComObj.exe		d83eeb76d1dd2ff2b4786506b0a10b10N.exe
		3892	schtasks.exe
File created	C:\Windows\System32\credprovhost\e1ef82546f0b02		d83eeb76d1dd2ff2b4786506b0a10b10N.exe
		1492	schtasks.exe
		4896	schtasks.exe
		3616	schtasks.exe
		2256	schtasks.exe
		5000	schtasks.exe

Process spawned unexpected child process 13 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3232	2456	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3616	2456	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	2456	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2456	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2456	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	2456	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2456	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	2456	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3892	2456	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3520	2456	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3400	2456	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	2456	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3984	2456	schtasks.exe	83

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4748-1-0x0000000000540000-0x000000000068C000-memory.dmp	dcrat
behavioral2/files/0x00070000000234ec-19.dat	dcrat
behavioral2/files/0x0007000000022a85-71.dat	dcrat

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	d83eeb76d1dd2ff2b4786506b0a10b10N.exe

Executes dropped EXE 8 IoCs

pid	Process
960	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
4224	RuntimeBroker.exe
1772	RuntimeBroker.exe
4368	RuntimeBroker.exe
4864	RuntimeBroker.exe
3700	RuntimeBroker.exe
4220	RuntimeBroker.exe
1992	RuntimeBroker.exe

Adds Run key to start application 2 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\credprovhost\\SppExtComObj.exe\""	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\opengl32\\RuntimeBroker.exe\""	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\tracing\\SppExtComObj.exe\""	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MoUsoCoreWorker = "\"C:\\Windows\\System32\\dfrgui\\MoUsoCoreWorker.exe\""	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Recovery\\WindowsRE\\unsecapp.exe\""	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\it\\RuntimeBroker.exe\""	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\System32\\wbem\\DscCore\\unsecapp.exe\""	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Default User\\winlogon.exe\""	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32\\OfficeClickToRun.exe\""	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\PerfLogs\\TextInputHost.exe\""	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\Windows.Media.Playback.ProxyStub\\RuntimeBroker.exe\""	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Windows\\GameBarPresenceWriter\\WaaSMedicAgent.exe\""	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\PerfLogs\\RuntimeBroker.exe\""	d83eeb76d1dd2ff2b4786506b0a10b10N.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
21	pastebin.com
34	pastebin.com
37	pastebin.com
20	pastebin.com

Drops file in System32 directory 19 IoCs

description	ioc	Process
File created	C:\Windows\System32\dfrgui\MoUsoCoreWorker.exe	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
File opened for modification	C:\Windows\System32\dfrgui\MoUsoCoreWorker.exe	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
File created	C:\Windows\System32\dfrgui\1f93f77a7f4778	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
File created	C:\Windows\System32\wbem\DscCore\29c1c3cc0f7685	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
File opened for modification	C:\Windows\System32\credprovhost\SppExtComObj.exe	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
File opened for modification	C:\Windows\System32\wbem\DscCore\unsecapp.exe	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
File opened for modification	C:\Windows\System32\Windows.Media.Playback.ProxyStub\RuntimeBroker.exe	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
File created	C:\Windows\System32\opengl32\RuntimeBroker.exe	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
File opened for modification	C:\Windows\System32\opengl32\RCXAC53.tmp	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
File opened for modification	C:\Windows\System32\opengl32\RCXAC54.tmp	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
File opened for modification	C:\Windows\System32\opengl32\RuntimeBroker.exe	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
File created	C:\Windows\System32\credprovhost\e1ef82546f0b02	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
File created	C:\Windows\System32\opengl32\9e8d7a4ca61bd9	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
File opened for modification	C:\Windows\System32\credprovhost\RCXA848.tmp	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
File opened for modification	C:\Windows\System32\credprovhost\RCXA849.tmp	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
File created	C:\Windows\System32\Windows.Media.Playback.ProxyStub\RuntimeBroker.exe	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
File created	C:\Windows\System32\Windows.Media.Playback.ProxyStub\9e8d7a4ca61bd9	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
File created	C:\Windows\System32\wbem\DscCore\unsecapp.exe	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
File created	C:\Windows\System32\credprovhost\SppExtComObj.exe	d83eeb76d1dd2ff2b4786506b0a10b10N.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\RuntimeBroker.exe	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\9e8d7a4ca61bd9	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\RuntimeBroker.exe	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32\OfficeClickToRun.exe	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32\e6c9b481da804f	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32\RCXAED6.tmp	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32\RCXAF44.tmp	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32\OfficeClickToRun.exe	d83eeb76d1dd2ff2b4786506b0a10b10N.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\GameBarPresenceWriter\WaaSMedicAgent.exe	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
File created	C:\Windows\tracing\SppExtComObj.exe	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
File created	C:\Windows\tracing\e1ef82546f0b02	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
File opened for modification	C:\Windows\tracing\RCXB35E.tmp	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
File opened for modification	C:\Windows\tracing\RCXB35F.tmp	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
File opened for modification	C:\Windows\tracing\SppExtComObj.exe	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
File created	C:\Windows\GameBarPresenceWriter\WaaSMedicAgent.exe	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
File created	C:\Windows\GameBarPresenceWriter\c82b8037eab33d	d83eeb76d1dd2ff2b4786506b0a10b10N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	d83eeb76d1dd2ff2b4786506b0a10b10N.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1492	schtasks.exe
4264	schtasks.exe
2256	schtasks.exe
4396	schtasks.exe
3520	schtasks.exe
3400	schtasks.exe
3892	schtasks.exe
3232	schtasks.exe
3616	schtasks.exe
2672	schtasks.exe
5000	schtasks.exe
4896	schtasks.exe
3984	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4748	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
4748	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
4748	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
960	d83eeb76d1dd2ff2b4786506b0a10b10N.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	4748	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
Token: SeDebugPrivilege	960	d83eeb76d1dd2ff2b4786506b0a10b10N.exe
Token: SeDebugPrivilege	4224	RuntimeBroker.exe
Token: SeDebugPrivilege	1772	RuntimeBroker.exe
Token: SeDebugPrivilege	4368	RuntimeBroker.exe
Token: SeDebugPrivilege	4864	RuntimeBroker.exe
Token: SeDebugPrivilege	3700	RuntimeBroker.exe
Token: SeDebugPrivilege	4220	RuntimeBroker.exe
Token: SeDebugPrivilege	1992	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 4504	4748	d83eeb76d1dd2ff2b4786506b0a10b10N.exe	97
PID 4748 wrote to memory of 4504	4748	d83eeb76d1dd2ff2b4786506b0a10b10N.exe	97
PID 4504 wrote to memory of 3320	4504	cmd.exe	99
PID 4504 wrote to memory of 3320	4504	cmd.exe	99
PID 4504 wrote to memory of 960	4504	cmd.exe	103
PID 4504 wrote to memory of 960	4504	cmd.exe	103
PID 960 wrote to memory of 3152	960	d83eeb76d1dd2ff2b4786506b0a10b10N.exe	111
PID 960 wrote to memory of 3152	960	d83eeb76d1dd2ff2b4786506b0a10b10N.exe	111
PID 3152 wrote to memory of 1568	3152	cmd.exe	113
PID 3152 wrote to memory of 1568	3152	cmd.exe	113
PID 3152 wrote to memory of 4224	3152	cmd.exe	114
PID 3152 wrote to memory of 4224	3152	cmd.exe	114
PID 4224 wrote to memory of 2412	4224	RuntimeBroker.exe	115
PID 4224 wrote to memory of 2412	4224	RuntimeBroker.exe	115
PID 4224 wrote to memory of 4816	4224	RuntimeBroker.exe	116
PID 4224 wrote to memory of 4816	4224	RuntimeBroker.exe	116
PID 4224 wrote to memory of 5012	4224	RuntimeBroker.exe	118
PID 4224 wrote to memory of 5012	4224	RuntimeBroker.exe	118
PID 5012 wrote to memory of 376	5012	cmd.exe	120
PID 5012 wrote to memory of 376	5012	cmd.exe	120
PID 2412 wrote to memory of 1772	2412	WScript.exe	121
PID 2412 wrote to memory of 1772	2412	WScript.exe	121
PID 1772 wrote to memory of 2796	1772	RuntimeBroker.exe	122
PID 1772 wrote to memory of 2796	1772	RuntimeBroker.exe	122
PID 1772 wrote to memory of 4752	1772	RuntimeBroker.exe	123
PID 1772 wrote to memory of 4752	1772	RuntimeBroker.exe	123
PID 1772 wrote to memory of 1436	1772	RuntimeBroker.exe	124
PID 1772 wrote to memory of 1436	1772	RuntimeBroker.exe	124
PID 1436 wrote to memory of 3724	1436	cmd.exe	126
PID 1436 wrote to memory of 3724	1436	cmd.exe	126
PID 5012 wrote to memory of 4368	5012	cmd.exe	128
PID 5012 wrote to memory of 4368	5012	cmd.exe	128
PID 4368 wrote to memory of 4896	4368	RuntimeBroker.exe	129
PID 4368 wrote to memory of 4896	4368	RuntimeBroker.exe	129
PID 4368 wrote to memory of 2224	4368	RuntimeBroker.exe	130
PID 4368 wrote to memory of 2224	4368	RuntimeBroker.exe	130
PID 2796 wrote to memory of 4864	2796	WScript.exe	131
PID 2796 wrote to memory of 4864	2796	WScript.exe	131
PID 1436 wrote to memory of 3700	1436	cmd.exe	132
PID 1436 wrote to memory of 3700	1436	cmd.exe	132
PID 4368 wrote to memory of 1356	4368	RuntimeBroker.exe	133
PID 4368 wrote to memory of 1356	4368	RuntimeBroker.exe	133
PID 1356 wrote to memory of 4256	1356	cmd.exe	135
PID 1356 wrote to memory of 4256	1356	cmd.exe	135
PID 4896 wrote to memory of 4220	4896	WScript.exe	136
PID 4896 wrote to memory of 4220	4896	WScript.exe	136
PID 1356 wrote to memory of 1992	1356	cmd.exe	137
PID 1356 wrote to memory of 1992	1356	cmd.exe	137

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d83eeb76d1dd2ff2b4786506b0a10b10N.exe
"C:\Users\Admin\AppData\Local\Temp\d83eeb76d1dd2ff2b4786506b0a10b10N.exe"
1⤵
- DcRat
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wzM9XpuGFo.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3320
- - C:\Users\Admin\AppData\Local\Temp\d83eeb76d1dd2ff2b4786506b0a10b10N.exe
    "C:\Users\Admin\AppData\Local\Temp\d83eeb76d1dd2ff2b4786506b0a10b10N.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:960
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2Xf2kAHMkP.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3152
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:1568
    - - C:\Windows\System32\Windows.Media.Playback.ProxyStub\RuntimeBroker.exe
        
        "C:\Windows\System32\Windows.Media.Playback.ProxyStub\RuntimeBroker.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4224
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bea428e1-eea4-4163-94a9-d988784e9e6d.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\System32\Windows.Media.Playback.ProxyStub\RuntimeBroker.exe
        
        C:\Windows\System32\Windows.Media.Playback.ProxyStub\RuntimeBroker.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7111c455-3293-46e8-a839-cedde62273f3.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\System32\Windows.Media.Playback.ProxyStub\RuntimeBroker.exe
        
        C:\Windows\System32\Windows.Media.Playback.ProxyStub\RuntimeBroker.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9be75ff3-d5f8-4a30-94ad-e889c0b2d3e8.vbs"
        8⤵
        
        PID:4752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9OucH8Koso.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:3724
        
        C:\Windows\System32\Windows.Media.Playback.ProxyStub\RuntimeBroker.exe
        
        "C:\Windows\System32\Windows.Media.Playback.ProxyStub\RuntimeBroker.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3700
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\238a1542-2e93-430e-ae39-6f17fd0dec7d.vbs"
        6⤵
        
        PID:4816
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b3wPgb0HPV.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:376
        
        C:\Windows\System32\Windows.Media.Playback.ProxyStub\RuntimeBroker.exe
        
        "C:\Windows\System32\Windows.Media.Playback.ProxyStub\RuntimeBroker.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2ec848c-d634-49e7-aa40-5a12135abed1.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\System32\Windows.Media.Playback.ProxyStub\RuntimeBroker.exe
        
        C:\Windows\System32\Windows.Media.Playback.ProxyStub\RuntimeBroker.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d506dcb5-b858-4382-b0f5-bddc9101222f.vbs"
        8⤵
        
        PID:2224
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\02u8CkuMvS.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:4256
        
        C:\Windows\System32\Windows.Media.Playback.ProxyStub\RuntimeBroker.exe
        
        "C:\Windows\System32\Windows.Media.Playback.ProxyStub\RuntimeBroker.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\credprovhost\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\opengl32\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\PerfLogs\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\tracing\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Windows\System32\dfrgui\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\Windows.Media.Playback.ProxyStub\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\PerfLogs\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\System32\wbem\DscCore\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\TextInputHost.exe

Filesize
1.3MB

MD5
d83eeb76d1dd2ff2b4786506b0a10b10

SHA1
d7dab29809264a786ea3f8f8988d7ab22e02b754

SHA256
9a3b444bd26b5b3e29f8328ded81bb66db55f45dfba063c4772ddeae9b82d3c3

SHA512
45e606414c5cbc8057288299e285a6c09e8bf74894cc1d40e97f2b8df4d4305705c27e7d21f5023e9de1e100ea01b95ed51a5532d636bcea08a4ee172252360f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32\OfficeClickToRun.exe

Filesize
1.3MB

MD5
dd9baef453f30e4464277e75b931bef2

SHA1
4b0d7f3ed6cb0e4a6124101c33ca49d72f3b389e

SHA256
159821847d25d35c5147ebe36d97d7c5020e9d04ab6e1d7e9055152f99b2692c

SHA512
be0c174a31855b985c918f06fd86befd0ff34912d3739299f365b39ee2cdd8ccf6c37f9fca93ed624a9172b730c6c4248b1ee05c88ba19a4bdbf2798f9b0dd59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\d83eeb76d1dd2ff2b4786506b0a10b10N.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Temp\02u8CkuMvS.bat

Filesize
234B

MD5
cc91e309285903d416acec1d97b4436f

SHA1
2fc41c2ca5c734e1fdea042c997ed2fd142fab18

SHA256
bd5a853d0f636b9eb1d828462348db8f2150cf02c63b42b3fc8994295b0f1ed5

SHA512
71e5403ca129f2712dbb35eae8a161acb71020180236fd8306f768ca1c3e8b58ad84a5554ac3d12253a938a10208d65e3ef5885c13466ccfb0161b11430ac3c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\238a1542-2e93-430e-ae39-6f17fd0dec7d.vbs

Filesize
522B

MD5
1e9f797bda57d83fd86b09b88013a696

SHA1
98f74f85ab4f5187a254e3d9e9ed25f9bdd86019

SHA256
2fa04793210a10dcd5aada714a1d8ba444ac613748b6e1164e3680729759483c

SHA512
5af71fd10381c5afb0f72fe2b76e5c1377738298876a7549c6204a866e2c8fecb944b47ba0ba86afc7ce675f42644365acabd6dae61860ce15a8749c9200bc8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2Xf2kAHMkP.bat

Filesize
234B

MD5
74a55674f5e6aff52efe13573d63c3e0

SHA1
6dbad5aea752aba2836c47ab71bfeada8145bec7

SHA256
cf9a51a754ac87c622e1455a5f22fc3f706f722eea64b31bf037c8002b48531f

SHA512
0778f75e68e907e4597377bbbe48df27a91953dd65ac83565b30f27bc54b6551de0655ea202841eae74cbd477b00cea9e7bd577e9b7a89ad35acad1b6181de9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7111c455-3293-46e8-a839-cedde62273f3.vbs

Filesize
746B

MD5
3589694050e1209a4fbb2f49d2f1c90a

SHA1
97807e4ebef7f2cc745a356d4a6ccdb7f0c291b8

SHA256
17be9665327130c286378727b7593828b9d7e8438ed5135e93d0c62191865881

SHA512
67fefcc2083cb9ce0c7fe16f294d71efb5867c2c89351041b603e07cc342f98c672e7f7dc79650585a95c2879fad18f335e2919f4d8ced53245fa1308fde83dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\9OucH8Koso.bat

Filesize
234B

MD5
e3a64ecb03a446f6c67daaa9b3491ba7

SHA1
6a01bed08634f3b417bae730aaee14f67fb13c42

SHA256
74f378232460ffc83fe118a0bdc05125ff3cc6b65d506a67a608b2dac37044ee

SHA512
cf5430c9dd0604e297bbc1927c20cd9e83a4016c58e2adb1d52f564c283b56605126ee6929f4d78556a559bbaa6af0167c686da1f2c1faa459d71269819208da

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3wPgb0HPV.bat

Filesize
234B

MD5
4d8d13778727e494361b0edc8bb2d5c1

SHA1
98b14a17861850e7650a7393ec3a53f9aebca925

SHA256
307156d0e68431b28a33d6d0e701e0edf89179d78443abb477b740323515e06d

SHA512
ff153d238caa2ef0aed6402122e7c1f7db28e257030655b52e7119890f8d675f39725cc578822c4e2af36e644ac221fcef4442610b603eaf79ad4e8f3a0c25fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\bea428e1-eea4-4163-94a9-d988784e9e6d.vbs

Filesize
746B

MD5
a5639aad1ed833f080432f10157e8409

SHA1
5cd0fe0c1f6b1b86b9cd5035f64124abcf5b9431

SHA256
42ea5659c25daf2a472953a6375e572fc7fc5d573c6b47868d28f75d2d3d12f7

SHA512
2e4c85266f8175402b31c14f2163f0ca10346d8f38cf6b5cf10acdba3509828f208e11c80c9275b7274290722039eb58af1bdfb804a1cf02ed38b9fa6682a3d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2ec848c-d634-49e7-aa40-5a12135abed1.vbs

Filesize
746B

MD5
5623213703e95f8fed86fb2698a55055

SHA1
b68cdfba440edf3f4332fc8da5656d9efcca79f1

SHA256
5aa11839c80699a4196c06645d804252d8ce239e297799b0047ec63a8371527c

SHA512
093a46abd37e2bd2258944c04343a830d01facda6434f74bf0f4e2da07a53c0d7a70814389cd54bc3b2381719653cff45bba636ca0fad3b9212b2e8c0ae5e453

Download Submit
C:\Users\Admin\AppData\Local\Temp\wzM9XpuGFo.bat

Filesize
235B

MD5
4feedb25269abd8b2850d70184bd8ca7

SHA1
2741200c32ef75f51395b0a95345abed54e64f58

SHA256
6c956dc64ab39abd1d9206463a78dbea6776a2b59baf8026886a3f6e580b852a

SHA512
1693ab49f1d80d3da22b9f77bfd332bbc8dff9a3899cb83ca3b10fd0bd66d9936d41720b94b8b956cc6780d425721665182a565bda47f3ad4282590ea1804dab

Download Submit
memory/4748-104-0x00007FFCCD6A0000-0x00007FFCCE161000-memory.dmp

Filesize
10.8MB

Download
memory/4748-4-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/4748-3-0x0000000000F20000-0x0000000000F28000-memory.dmp

Filesize
32KB

Download
memory/4748-5-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/4748-6-0x000000001B0F0000-0x000000001B100000-memory.dmp

Filesize
64KB

Download
memory/4748-0-0x00007FFCCD6A3000-0x00007FFCCD6A5000-memory.dmp

Filesize
8KB

Download
memory/4748-9-0x000000001B110000-0x000000001B11A000-memory.dmp

Filesize
40KB

Download
memory/4748-2-0x00007FFCCD6A0000-0x00007FFCCE161000-memory.dmp

Filesize
10.8MB

Download
memory/4748-10-0x000000001B160000-0x000000001B16C000-memory.dmp

Filesize
48KB

Download
memory/4748-8-0x000000001B120000-0x000000001B12C000-memory.dmp

Filesize
48KB

Download
memory/4748-7-0x000000001B130000-0x000000001B140000-memory.dmp

Filesize
64KB

Download
memory/4748-1-0x0000000000540000-0x000000000068C000-memory.dmp

Filesize
1.3MB

Download