dcrat | 741e00a1f7ef7e5fe69144adfb6023fe14d29ddcd1b9982a3ebcbced6748e8fc

Analysis

max time kernel
60s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
28-10-2024 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CD0FDBF184A188298A847D17AF361C7D.exe
Size

2.2MB
MD5

cd0fdbf184a188298a847d17af361c7d
SHA1

d6394498b1dc80e93010b835940a463383bcf08a
SHA256

741e00a1f7ef7e5fe69144adfb6023fe14d29ddcd1b9982a3ebcbced6748e8fc
SHA512

08f5bcd179e16dc5bbc392bd70af00925e17e307de2c11b8f247b00f961f4d7861e6d52073ccac08bd48488f884c0b34154788062bfb799593c9546c6b173461
SSDEEP

24576:2TbBv5rUyXVf7/weHc1lJq2tB/pw97SSwEWJSwDFrs7+6pa7gv6a9MrYetY5Q62w:IBJTqpji7SxFgz7XM7metv6s2N8WT

Score

10^/10

dcrat discovery execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Windows\\PCHEALTH\\ERRORREP\\QHEADLES\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\Idle.exe\", \"C:\\Hyperagentdll\\csrss.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Windows\\PCHEALTH\\ERRORREP\\QHEADLES\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\Idle.exe\", \"C:\\Hyperagentdll\\csrss.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\Idle.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Windows\\PCHEALTH\\ERRORREP\\QHEADLES\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\Idle.exe\", \"C:\\Hyperagentdll\\csrss.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\Idle.exe\", \"C:\\Hyperagentdll\\ComponentDhcp.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Windows\\PCHEALTH\\ERRORREP\\QHEADLES\\taskhost.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Windows\\PCHEALTH\\ERRORREP\\QHEADLES\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\Idle.exe\""	ComponentDhcp.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2696	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2696	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2696	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2696	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2696	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2696	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2696	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2696	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2696	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2696	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	2696	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2696	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2696	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2696	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2696	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2696	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2696	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2696	schtasks.exe	33

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
288	powershell.exe
3040	powershell.exe
2456	powershell.exe
2160	powershell.exe
3048	powershell.exe
1092	powershell.exe
764	powershell.exe
2524	powershell.exe
2516	powershell.exe
2520	powershell.exe
1700	powershell.exe
2364	powershell.exe
2312	powershell.exe
2188	powershell.exe
2112	powershell.exe
1296	powershell.exe
2380	powershell.exe
588	powershell.exe
1860	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2860	ComponentDhcp.exe
956	taskhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1664	cmd.exe
1664	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Hyperagentdll\\csrss.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Windows NT\\Accessories\\Idle.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\PCHEALTH\\ERRORREP\\QHEADLES\\taskhost.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\PCHEALTH\\ERRORREP\\QHEADLES\\taskhost.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\Idle.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\Idle.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Hyperagentdll\\csrss.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ComponentDhcp = "\"C:\\Hyperagentdll\\ComponentDhcp.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ComponentDhcp = "\"C:\\Hyperagentdll\\ComponentDhcp.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Windows NT\\Accessories\\Idle.exe\""	ComponentDhcp.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCC6972228986B42F3823EC8B3265859C1.TMP	csc.exe
File created	\??\c:\Windows\System32\hi5-9c.exe	csc.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\Accessories\6ccacd8608530f	ComponentDhcp.exe
File created	C:\Program Files\Windows NT\Accessories\Idle.exe	ComponentDhcp.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\Idle.exe	ComponentDhcp.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\PCHEALTH\ERRORREP\QHEADLES\taskhost.exe	ComponentDhcp.exe
File created	C:\Windows\PCHEALTH\ERRORREP\QHEADLES\b75386f1303e64	ComponentDhcp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CD0FDBF184A188298A847D17AF361C7D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2032	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2032	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2192	schtasks.exe
2344	schtasks.exe
2352	schtasks.exe
1044	schtasks.exe
2128	schtasks.exe
2968	schtasks.exe
2020	schtasks.exe
1156	schtasks.exe
1996	schtasks.exe
2436	schtasks.exe
2156	schtasks.exe
2692	schtasks.exe
1788	schtasks.exe
1064	schtasks.exe
2700	schtasks.exe
2324	schtasks.exe
1800	schtasks.exe
1940	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe
2860	ComponentDhcp.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2860	ComponentDhcp.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	764	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	288	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	588	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	956	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2552	2236	CD0FDBF184A188298A847D17AF361C7D.exe	29
PID 2236 wrote to memory of 2552	2236	CD0FDBF184A188298A847D17AF361C7D.exe	29
PID 2236 wrote to memory of 2552	2236	CD0FDBF184A188298A847D17AF361C7D.exe	29
PID 2236 wrote to memory of 2552	2236	CD0FDBF184A188298A847D17AF361C7D.exe	29
PID 2552 wrote to memory of 1664	2552	WScript.exe	30
PID 2552 wrote to memory of 1664	2552	WScript.exe	30
PID 2552 wrote to memory of 1664	2552	WScript.exe	30
PID 2552 wrote to memory of 1664	2552	WScript.exe	30
PID 1664 wrote to memory of 2860	1664	cmd.exe	32
PID 1664 wrote to memory of 2860	1664	cmd.exe	32
PID 1664 wrote to memory of 2860	1664	cmd.exe	32
PID 1664 wrote to memory of 2860	1664	cmd.exe	32
PID 2860 wrote to memory of 1356	2860	ComponentDhcp.exe	37
PID 2860 wrote to memory of 1356	2860	ComponentDhcp.exe	37
PID 2860 wrote to memory of 1356	2860	ComponentDhcp.exe	37
PID 1356 wrote to memory of 2952	1356	csc.exe	39
PID 1356 wrote to memory of 2952	1356	csc.exe	39
PID 1356 wrote to memory of 2952	1356	csc.exe	39
PID 2860 wrote to memory of 3040	2860	ComponentDhcp.exe	55
PID 2860 wrote to memory of 3040	2860	ComponentDhcp.exe	55
PID 2860 wrote to memory of 3040	2860	ComponentDhcp.exe	55
PID 2860 wrote to memory of 2188	2860	ComponentDhcp.exe	56
PID 2860 wrote to memory of 2188	2860	ComponentDhcp.exe	56
PID 2860 wrote to memory of 2188	2860	ComponentDhcp.exe	56
PID 2860 wrote to memory of 2112	2860	ComponentDhcp.exe	57
PID 2860 wrote to memory of 2112	2860	ComponentDhcp.exe	57
PID 2860 wrote to memory of 2112	2860	ComponentDhcp.exe	57
PID 2860 wrote to memory of 2380	2860	ComponentDhcp.exe	58
PID 2860 wrote to memory of 2380	2860	ComponentDhcp.exe	58
PID 2860 wrote to memory of 2380	2860	ComponentDhcp.exe	58
PID 2860 wrote to memory of 1296	2860	ComponentDhcp.exe	59
PID 2860 wrote to memory of 1296	2860	ComponentDhcp.exe	59
PID 2860 wrote to memory of 1296	2860	ComponentDhcp.exe	59
PID 2860 wrote to memory of 3048	2860	ComponentDhcp.exe	61
PID 2860 wrote to memory of 3048	2860	ComponentDhcp.exe	61
PID 2860 wrote to memory of 3048	2860	ComponentDhcp.exe	61
PID 2860 wrote to memory of 2456	2860	ComponentDhcp.exe	62
PID 2860 wrote to memory of 2456	2860	ComponentDhcp.exe	62
PID 2860 wrote to memory of 2456	2860	ComponentDhcp.exe	62
PID 2860 wrote to memory of 2160	2860	ComponentDhcp.exe	63
PID 2860 wrote to memory of 2160	2860	ComponentDhcp.exe	63
PID 2860 wrote to memory of 2160	2860	ComponentDhcp.exe	63
PID 2860 wrote to memory of 1092	2860	ComponentDhcp.exe	67
PID 2860 wrote to memory of 1092	2860	ComponentDhcp.exe	67
PID 2860 wrote to memory of 1092	2860	ComponentDhcp.exe	67
PID 2860 wrote to memory of 764	2860	ComponentDhcp.exe	68
PID 2860 wrote to memory of 764	2860	ComponentDhcp.exe	68
PID 2860 wrote to memory of 764	2860	ComponentDhcp.exe	68
PID 2860 wrote to memory of 588	2860	ComponentDhcp.exe	69
PID 2860 wrote to memory of 588	2860	ComponentDhcp.exe	69
PID 2860 wrote to memory of 588	2860	ComponentDhcp.exe	69
PID 2860 wrote to memory of 2516	2860	ComponentDhcp.exe	70
PID 2860 wrote to memory of 2516	2860	ComponentDhcp.exe	70
PID 2860 wrote to memory of 2516	2860	ComponentDhcp.exe	70
PID 2860 wrote to memory of 2520	2860	ComponentDhcp.exe	71
PID 2860 wrote to memory of 2520	2860	ComponentDhcp.exe	71
PID 2860 wrote to memory of 2520	2860	ComponentDhcp.exe	71
PID 2860 wrote to memory of 2524	2860	ComponentDhcp.exe	72
PID 2860 wrote to memory of 2524	2860	ComponentDhcp.exe	72
PID 2860 wrote to memory of 2524	2860	ComponentDhcp.exe	72
PID 2860 wrote to memory of 1700	2860	ComponentDhcp.exe	73
PID 2860 wrote to memory of 1700	2860	ComponentDhcp.exe	73
PID 2860 wrote to memory of 1700	2860	ComponentDhcp.exe	73
PID 2860 wrote to memory of 2312	2860	ComponentDhcp.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\CD0FDBF184A188298A847D17AF361C7D.exe
"C:\Users\Admin\AppData\Local\Temp\CD0FDBF184A188298A847D17AF361C7D.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Hyperagentdll\LC7NSPPjwsbedY3MJ.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Hyperagentdll\BsaJdQYq8XACECtkLxbuW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1664
  - - C:\Hyperagentdll\ComponentDhcp.exe
      "C:\Hyperagentdll/ComponentDhcp.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d4vcokgb\d4vcokgb.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1356
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE540.tmp" "c:\Windows\System32\CSCC6972228986B42F3823EC8B3265859C1.TMP"
        6⤵
        
        PID:2952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Hyperagentdll/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Hyperagentdll\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:288
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Hyperagentdll\ComponentDhcp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RzTLx2TpxK.bat"
        5⤵
        
        PID:2292
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2336
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2032
      - C:\Windows\PCHEALTH\ERRORREP\QHEADLES\taskhost.exe
        
        "C:\Windows\PCHEALTH\ERRORREP\QHEADLES\taskhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Hyperagentdll\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Hyperagentdll\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Hyperagentdll\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\Accessories\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComponentDhcpC" /sc MINUTE /mo 12 /tr "'C:\Hyperagentdll\ComponentDhcp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComponentDhcp" /sc ONLOGON /tr "'C:\Hyperagentdll\ComponentDhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComponentDhcpC" /sc MINUTE /mo 6 /tr "'C:\Hyperagentdll\ComponentDhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Hyperagentdll\BsaJdQYq8XACECtkLxbuW.bat

Filesize
83B

MD5
ff4cfd867a098de6bb711fee46ab71f8

SHA1
0f9a4b8cbafd88088b32bef24ea4f21d8ddb8b5e

SHA256
978666a718f5416ab586100120a9ae873eec92589fe2ffdaa7fc16dd76c8a3e2

SHA512
f3b71b50fbab5f8ee6b99fe85890dd924df2475335ea13b75a401190cbb7a697abe88e49d1c63e79b5696145ed7139542e60a38713bd93e2400a15ac8ab1f4c4

Download Submit
C:\Hyperagentdll\LC7NSPPjwsbedY3MJ.vbe

Filesize
212B

MD5
1d9cb1ea67761522a044d5a9d63c1d30

SHA1
39669d5dbd1acaf3fe109bcd9b8be67c554dcdc7

SHA256
221a01a4eb128921422b8a383388776740d3a7b014deaf6c312c3bb0a7143ef3

SHA512
5c68ab7b8ef9229e2f2fa93716f3aa30c88aeac1ff80f53c4be81a8b192a019b0d4ba6f7c729c4148e64a88875d5fb35ca4965dddea375f2010f392e9ec93780

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE540.tmp

Filesize
1KB

MD5
f631aa4fd9abad7f2df5d1485d343764

SHA1
cc4f0a60d6398298df0d882abeb239ac5fd4e8af

SHA256
21da8cc639a4c64193ee6994edb900fcae9f1e7c1c6f110c2a42197dec0fbfd7

SHA512
7bce3b3f47010602ab9a70cc21b2c6ab57f1696eda36dcb4ad594d32debf8996af3d49f66fc64eee61259067c899a62b8b2d6c0c1cd5f32c82f637e4f7a78cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RzTLx2TpxK.bat

Filesize
178B

MD5
cfd776c15dcafd9201eb9f38ea02fe98

SHA1
8f133d5704f1218b86b91ce872fae50cbbfa3d8c

SHA256
3859e89c120c988855498c1d274c33942d5092949f1c284fb9ee41231ae81256

SHA512
53955c5044098dac13880712949fcfe05cc9daca2c7874fdcc12e679e1db3e1837e352f6861f43072a08f95c1b242ee5ccf1790cd7c8a06b952e967694b7835c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9695b3f587dd4bc841e8f3e5fced5241

SHA1
91ea1ea7063541d7324015b3baa10b75d6b868c2

SHA256
aa6dc9cde667925d78acca7adb17ed70996848490597ab6ce1d2ffd3cea06bff

SHA512
ef09654f62f1287cc2d6f9581b308f05ba86fb4004aa31b4429f87a2dc37af5051da9b4ee9bc770a922eb000c3b980a9e979a45f2dbaff20ac44a8f86342e63a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\d4vcokgb\d4vcokgb.0.cs

Filesize
407B

MD5
f1ddbcb6e14e1d6da3808fbddaf34b91

SHA1
6a6e879a9b132765024059eadff8406d20442074

SHA256
7386c08d5539cfe8822503c18d7ed5212c46c699dd8de7c5034519ae9df8f0e9

SHA512
feefa4d58badada58e0235d6027d8121ec328b12df54b9d5447a35cbda829c20c25c4eb05d5653bec8a650be07332d89ffa940441104c35a5338b7a27a9a8e15

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\d4vcokgb\d4vcokgb.cmdline

Filesize
235B

MD5
06a13a82183451ca0b07c7f69ac5f62b

SHA1
95746f60038acfa0faa7c2231347dffae0c8c0a3

SHA256
9daa971c5023a6f6a61c77349ce32b36dd8ea407b83e2324d08c71d0b23c8898

SHA512
12c0142db107dd15567898a1aeb4fb7b04934d810e698447b214e54f6810f75f34d74a8ca8338425760ee80093e47e55ca40d73428a3128912d9b6d642e3e2b6

Download Submit
\??\c:\Windows\System32\CSCC6972228986B42F3823EC8B3265859C1.TMP

Filesize
1KB

MD5
60a1ebb8f840aad127346a607d80fc19

SHA1
c8b7e9ad601ac19ab90b3e36f811960e8badf354

SHA256
9d6a9d38b7a86cc88e551a0c1172a3fb387b1a5f928ac13993ec3387d39cc243

SHA512
44830cefb264bac520174b4b884312dd0393be33a193d4f0fee3cc3c14deb86ca39e43ef281232f9169fd204d19b22e8a7aad72fa448ca52d5cbc3ee1dbb18a4

Download Submit
\Hyperagentdll\ComponentDhcp.exe

Filesize
1.9MB

MD5
38c14805a17436bc0118dfaa6547eec0

SHA1
77ee261fd0d14577058bd1114bfd4a34aa0990e6

SHA256
afe966f7d7d027792cc718eba58d9ee3e7b2929e9cb3eed8902537d8c375e081

SHA512
bfec5fa0c4d45ebcc26bf18f3ccf0ea9b6bc6de62ce1ddfc012ef69f42c2bf45d90a3dc5f6537e62e6d0e30247eb0c2b5495249b01d0b158b6a73dd29e657754

Download Submit
memory/956-143-0x0000000000350000-0x0000000000542000-memory.dmp

Filesize
1.9MB

Download
memory/2112-68-0x000000001B200000-0x000000001B4E2000-memory.dmp

Filesize
2.9MB

Download
memory/2860-15-0x0000000000280000-0x000000000028E000-memory.dmp

Filesize
56KB

Download
memory/2860-25-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/2860-23-0x00000000002A0000-0x00000000002AE000-memory.dmp

Filesize
56KB

Download
memory/2860-21-0x0000000000290000-0x000000000029E000-memory.dmp

Filesize
56KB

Download
memory/2860-19-0x00000000002D0000-0x00000000002E8000-memory.dmp

Filesize
96KB

Download
memory/2860-17-0x00000000002B0000-0x00000000002CC000-memory.dmp

Filesize
112KB

Download
memory/2860-13-0x0000000000930000-0x0000000000B22000-memory.dmp

Filesize
1.9MB

Download
memory/3040-136-0x00000000026E0000-0x00000000026E8000-memory.dmp

Filesize
32KB

Download