dcrat | 17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/10/2024, 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
Size

1.7MB
MD5

3fba7f79ef350176d3df69eadadad6d0
SHA1

287507f1ec455c36c70ba2a8923b9834a3849376
SHA256

17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491
SHA512

fd2cbf1407ea0931b8b2ab3c47e9586113d395c8ef3e311ada6405f5cf8a20b1c16dfa1c1b4a1d1a266c0e5ab784fafd127cce194546cd99263ddc3fcb48c748
SSDEEP

24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:NgwuuEpdDLNwVMeXDL0fdSzAG

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2488	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2488	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2488	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2488	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2488	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2488	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2488	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2488	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2488	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2488	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2488	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2488	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2488	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	296	2488	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2488	schtasks.exe	30

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2008-1-0x0000000001160000-0x0000000001316000-memory.dmp	dcrat
behavioral1/files/0x00050000000186fd-27.dat	dcrat
behavioral1/files/0x00050000000193b4-42.dat	dcrat
behavioral1/files/0x000b000000012116-77.dat	dcrat
behavioral1/files/0x0009000000016d42-88.dat	dcrat
behavioral1/memory/2984-161-0x0000000001140000-0x00000000012F6000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
536	powershell.exe
808	powershell.exe
484	powershell.exe
632	powershell.exe
1444	powershell.exe
620	powershell.exe
1412	powershell.exe
2408	powershell.exe
1668	powershell.exe
2108	powershell.exe
584	powershell.exe
984	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe

Executes dropped EXE 2 IoCs

pid	Process
2984	taskhost.exe
1744	taskhost.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\dllhost.exe	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
File created	C:\Program Files\Common Files\5940a34987c991	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
File created	C:\Program Files (x86)\MSBuild\services.exe	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
File opened for modification	C:\Program Files\Common Files\RCX8B62.tmp	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
File opened for modification	C:\Program Files\Common Files\RCX8B63.tmp	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\services.exe	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
File created	C:\Program Files\Common Files\dllhost.exe	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
File created	C:\Program Files (x86)\MSBuild\c5b4cb5e9653cc	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCX8D67.tmp	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCX8D68.tmp	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2764	schtasks.exe
2860	schtasks.exe
2900	schtasks.exe
2776	schtasks.exe
2684	schtasks.exe
2192	schtasks.exe
2960	schtasks.exe
1560	schtasks.exe
2640	schtasks.exe
1928	schtasks.exe
296	schtasks.exe
2840	schtasks.exe
2492	schtasks.exe
2920	schtasks.exe
2712	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
1412	powershell.exe
1444	powershell.exe
632	powershell.exe
484	powershell.exe
536	powershell.exe
808	powershell.exe
2408	powershell.exe
984	powershell.exe
584	powershell.exe
2108	powershell.exe
620	powershell.exe
1668	powershell.exe
2984	taskhost.exe
2984	taskhost.exe
2984	taskhost.exe
2984	taskhost.exe
2984	taskhost.exe
2984	taskhost.exe
2984	taskhost.exe
2984	taskhost.exe
2984	taskhost.exe
2984	taskhost.exe
2984	taskhost.exe
2984	taskhost.exe
2984	taskhost.exe
2984	taskhost.exe
2984	taskhost.exe
2984	taskhost.exe
2984	taskhost.exe
2984	taskhost.exe
2984	taskhost.exe
2984	taskhost.exe
2984	taskhost.exe
2984	taskhost.exe
2984	taskhost.exe
2984	taskhost.exe
2984	taskhost.exe
2984	taskhost.exe
2984	taskhost.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	632	powershell.exe
Token: SeDebugPrivilege	484	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	808	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	984	powershell.exe
Token: SeDebugPrivilege	584	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	620	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	2984	taskhost.exe
Token: SeDebugPrivilege	1744	taskhost.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 2408	2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	46
PID 2008 wrote to memory of 2408	2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	46
PID 2008 wrote to memory of 2408	2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	46
PID 2008 wrote to memory of 1668	2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	47
PID 2008 wrote to memory of 1668	2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	47
PID 2008 wrote to memory of 1668	2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	47
PID 2008 wrote to memory of 2108	2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	48
PID 2008 wrote to memory of 2108	2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	48
PID 2008 wrote to memory of 2108	2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	48
PID 2008 wrote to memory of 536	2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	49
PID 2008 wrote to memory of 536	2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	49
PID 2008 wrote to memory of 536	2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	49
PID 2008 wrote to memory of 584	2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	50
PID 2008 wrote to memory of 584	2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	50
PID 2008 wrote to memory of 584	2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	50
PID 2008 wrote to memory of 808	2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	51
PID 2008 wrote to memory of 808	2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	51
PID 2008 wrote to memory of 808	2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	51
PID 2008 wrote to memory of 984	2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	52
PID 2008 wrote to memory of 984	2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	52
PID 2008 wrote to memory of 984	2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	52
PID 2008 wrote to memory of 484	2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	53
PID 2008 wrote to memory of 484	2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	53
PID 2008 wrote to memory of 484	2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	53
PID 2008 wrote to memory of 632	2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	54
PID 2008 wrote to memory of 632	2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	54
PID 2008 wrote to memory of 632	2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	54
PID 2008 wrote to memory of 1444	2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	55
PID 2008 wrote to memory of 1444	2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	55
PID 2008 wrote to memory of 1444	2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	55
PID 2008 wrote to memory of 620	2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	56
PID 2008 wrote to memory of 620	2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	56
PID 2008 wrote to memory of 620	2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	56
PID 2008 wrote to memory of 1412	2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	57
PID 2008 wrote to memory of 1412	2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	57
PID 2008 wrote to memory of 1412	2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	57
PID 2008 wrote to memory of 1584	2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	70
PID 2008 wrote to memory of 1584	2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	70
PID 2008 wrote to memory of 1584	2008	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	70
PID 1584 wrote to memory of 2708	1584	cmd.exe	72
PID 1584 wrote to memory of 2708	1584	cmd.exe	72
PID 1584 wrote to memory of 2708	1584	cmd.exe	72
PID 1584 wrote to memory of 2984	1584	cmd.exe	73
PID 1584 wrote to memory of 2984	1584	cmd.exe	73
PID 1584 wrote to memory of 2984	1584	cmd.exe	73
PID 2984 wrote to memory of 2884	2984	taskhost.exe	74
PID 2984 wrote to memory of 2884	2984	taskhost.exe	74
PID 2984 wrote to memory of 2884	2984	taskhost.exe	74
PID 2984 wrote to memory of 2992	2984	taskhost.exe	75
PID 2984 wrote to memory of 2992	2984	taskhost.exe	75
PID 2984 wrote to memory of 2992	2984	taskhost.exe	75
PID 2884 wrote to memory of 1744	2884	WScript.exe	77
PID 2884 wrote to memory of 1744	2884	WScript.exe	77
PID 2884 wrote to memory of 1744	2884	WScript.exe	77

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
"C:\Users\Admin\AppData\Local\Temp\17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1412
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UlhQHDc2pJ.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2708
- - C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\taskhost.exe
    "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\taskhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36b4ff73-e09f-414a-bc6f-87145f38107c.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2884
    - - C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\taskhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4b87dfd-25c9-46b3-b528-ea44b82ba8c7.vbs"
      4⤵
      PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N1" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N1" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\taskhost.exe

Filesize
1.7MB

MD5
a91b304489b39ae9d67b3aaa540f0cd4

SHA1
569ab7e19bf034aa3d767e6c8255878ed9caca04

SHA256
f57ca50c6f967f532fd3a89f2533f89dd383f1e9ae3cc08c7e4791a3e4bf7095

SHA512
eaf75939e9a33e9a1abb391704c07fd31a380f8341f59b6b5c47d62e855e9d4194c16dd600dd3c5b00cb99a2b057102068848437169f837f005ac9d7eb7cda0d

Download Submit
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe

Filesize
1.7MB

MD5
3fba7f79ef350176d3df69eadadad6d0

SHA1
287507f1ec455c36c70ba2a8923b9834a3849376

SHA256
17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491

SHA512
fd2cbf1407ea0931b8b2ab3c47e9586113d395c8ef3e311ada6405f5cf8a20b1c16dfa1c1b4a1d1a266c0e5ab784fafd127cce194546cd99263ddc3fcb48c748

Download Submit
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe

Filesize
1.7MB

MD5
dd9f61fe2f408491e30bdf43bb87bbd7

SHA1
050f14cfde8d9852f710ac6f7c3a5e1ddf378886

SHA256
23aa83d51d4b95e828dabb4669083ae8a71f4bd356f1b423f8db63df45fd43bf

SHA512
af41c9a893dd439fe6a7ffb4369d77a73176369bade122dab4997dab7bb263187c60a3e9cf8d137ed16e2c5d2e350667043f2c2df4724e69797d34bb84b14c48

Download Submit
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dllhost.exe

Filesize
1.7MB

MD5
bf7c1ff0196e4263e139ede7015bd258

SHA1
223acb25234aa360f0718d62ec9adc9825a22263

SHA256
83da8091c3df6f8443e942f9048b1d47fd574a426d69eb2a6050e927259bde41

SHA512
1a9ed435e302b02b9215b5b723eb71fe0daaeb6e57f52776ab2300276af1053e957587e8b7c1fba3b5f4fd6123e4af293957ef3a22b0dddea324b2fae0e1947c

Download Submit
C:\Users\Admin\AppData\Local\Temp\36b4ff73-e09f-414a-bc6f-87145f38107c.vbs

Filesize
760B

MD5
2aaa78ef09927fbc48f98e1ceb1fdf23

SHA1
0810b8478953093284aad173a68028dee48356ac

SHA256
9250b68c5ff89d9ee042910b173dc4f1f959f26061bae003b8de68561112671b

SHA512
d2366d8c61d67207e79faf8154b8f349863c739b4f30644853e972070fbc8bb2ecc3e32736e1f02c1572e9b1e19411eeac80c55a00e070482b10c82bee913601

Download Submit
C:\Users\Admin\AppData\Local\Temp\UlhQHDc2pJ.bat

Filesize
249B

MD5
79db65f501e9c836b2cd45dacc14746b

SHA1
f4bb2651baaa90ae76044f79ad3846b36144077c

SHA256
3726738c80d3470d6fc20efd474b87996d68b2d055ce6ac504b465eadb92450a

SHA512
66a5c933ff888fb534945da50513159c76da395e71c908fa89eb56c64b11e3ee836b276ee977dac0b32a971aba9383e2d6dc3a1eeab52ef556b1d56045bd165c

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4b87dfd-25c9-46b3-b528-ea44b82ba8c7.vbs

Filesize
536B

MD5
2f9b0d4fc1feff37eedd66021d44b1a4

SHA1
5f30e75dee67c217a578086bce40c5d181cb1e17

SHA256
63c59e0dd71f810565272c6c5c191bff3ec0791cfe4873b533680e2db0d6c6c8

SHA512
5f945d685b7ed938b6d8f5b13b2bbba68d65b7fa102f843744be4e3137b3bc332e9d726c32e6913cf9f8f99a562d88777454186ad1aed62e692c74dbe57f0e93

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ce4236ec5c19b358812bfdd9d5029415

SHA1
f39229055577b149a1772f54b5c38af806416337

SHA256
2cd274960dd1d92e5bfac20c144c5788284750ace9e5a2976373ae862153c1fc

SHA512
1d686779c9efe82b855f94277a9633e46b775f67e759eb568e0fd6bca05661320c9bc9c82a5af3048bb783ba9c6f3dcca607a11eebbba0ee8f14778a63c54f30

Download Submit
memory/808-145-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/984-144-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/2008-6-0x0000000000410000-0x0000000000426000-memory.dmp

Filesize
88KB

Download
memory/2008-0-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp

Filesize
4KB

Download
memory/2008-13-0x00000000010E0000-0x00000000010EC000-memory.dmp

Filesize
48KB

Download
memory/2008-15-0x0000000001100000-0x0000000001108000-memory.dmp

Filesize
32KB

Download
memory/2008-14-0x00000000010F0000-0x00000000010FA000-memory.dmp

Filesize
40KB

Download
memory/2008-16-0x0000000001110000-0x000000000111C000-memory.dmp

Filesize
48KB

Download
memory/2008-17-0x0000000001120000-0x000000000112C000-memory.dmp

Filesize
48KB

Download
memory/2008-20-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2008-10-0x0000000000C40000-0x0000000000C48000-memory.dmp

Filesize
32KB

Download
memory/2008-9-0x0000000000B60000-0x0000000000B6C000-memory.dmp

Filesize
48KB

Download
memory/2008-8-0x0000000000B70000-0x0000000000B80000-memory.dmp

Filesize
64KB

Download
memory/2008-12-0x0000000000C50000-0x0000000000C5C000-memory.dmp

Filesize
48KB

Download
memory/2008-7-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/2008-5-0x0000000000200000-0x0000000000210000-memory.dmp

Filesize
64KB

Download
memory/2008-109-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2008-4-0x00000000001F0000-0x00000000001F8000-memory.dmp

Filesize
32KB

Download
memory/2008-3-0x00000000001C0000-0x00000000001DC000-memory.dmp

Filesize
112KB

Download
memory/2008-1-0x0000000001160000-0x0000000001316000-memory.dmp

Filesize
1.7MB

Download
memory/2008-2-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2984-162-0x0000000000BE0000-0x0000000000BF2000-memory.dmp

Filesize
72KB

Download
memory/2984-161-0x0000000001140000-0x00000000012F6000-memory.dmp

Filesize
1.7MB

Download