dcrat | 741e00a1f7ef7e5fe69144adfb6023fe14d29ddcd1b9982a3ebcbced6748e8fc

Analysis

max time kernel
137s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/10/2024, 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CD0FDBF184A188298A847D17AF361C7D.exe
Size

2.2MB
MD5

cd0fdbf184a188298a847d17af361c7d
SHA1

d6394498b1dc80e93010b835940a463383bcf08a
SHA256

741e00a1f7ef7e5fe69144adfb6023fe14d29ddcd1b9982a3ebcbced6748e8fc
SHA512

08f5bcd179e16dc5bbc392bd70af00925e17e307de2c11b8f247b00f961f4d7861e6d52073ccac08bd48488f884c0b34154788062bfb799593c9546c6b173461
SSDEEP

24576:2TbBv5rUyXVf7/weHc1lJq2tB/pw97SSwEWJSwDFrs7+6pa7gv6a9MrYetY5Q62w:IBJTqpji7SxFgz7XM7metv6s2N8WT

Score

10^/10

dcrat discovery execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\dwm.exe\", \"C:\\Program Files\\Windows Defender\\fr-FR\\smss.exe\", \"C:\\Windows\\system\\services.exe\", \"C:\\Program Files\\Google\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\audiodg.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\dwm.exe\", \"C:\\Program Files\\Windows Defender\\fr-FR\\smss.exe\", \"C:\\Windows\\system\\services.exe\", \"C:\\Program Files\\Google\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\audiodg.exe\", \"C:\\Hyperagentdll\\ComponentDhcp.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\dwm.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\dwm.exe\", \"C:\\Program Files\\Windows Defender\\fr-FR\\smss.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\dwm.exe\", \"C:\\Program Files\\Windows Defender\\fr-FR\\smss.exe\", \"C:\\Windows\\system\\services.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\dwm.exe\", \"C:\\Program Files\\Windows Defender\\fr-FR\\smss.exe\", \"C:\\Windows\\system\\services.exe\", \"C:\\Program Files\\Google\\smss.exe\""	ComponentDhcp.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	296	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	2964	schtasks.exe	35

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
268	powershell.exe
1592	powershell.exe
688	powershell.exe
1100	powershell.exe
664	powershell.exe
1360	powershell.exe
1516	powershell.exe
1140	powershell.exe
2408	powershell.exe
920	powershell.exe
1388	powershell.exe
2960	powershell.exe
2052	powershell.exe
284	powershell.exe
408	powershell.exe
940	powershell.exe
2028	powershell.exe
1076	powershell.exe
984	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2168	ComponentDhcp.exe
2528	services.exe

Loads dropped DLL 2 IoCs

pid	Process
2524	cmd.exe
2524	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Google\\smss.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\audiodg.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ComponentDhcp = "\"C:\\Hyperagentdll\\ComponentDhcp.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\dwm.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\system\\services.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Defender\\fr-FR\\smss.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\system\\services.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Google\\smss.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\audiodg.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ComponentDhcp = "\"C:\\Hyperagentdll\\ComponentDhcp.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\dwm.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Defender\\fr-FR\\smss.exe\""	ComponentDhcp.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC5FED73C45F4044F6A97844F80789A67.TMP	csc.exe
File created	\??\c:\Windows\System32\dzuhbf.exe	csc.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\ja-JP\audiodg.exe	ComponentDhcp.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\audiodg.exe	ComponentDhcp.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\42af1c969fbb7b	ComponentDhcp.exe
File created	C:\Program Files\Windows Defender\fr-FR\smss.exe	ComponentDhcp.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\6cb0b6c459d5d3	ComponentDhcp.exe
File created	C:\Program Files\Google\smss.exe	ComponentDhcp.exe
File created	C:\Program Files\Google\69ddcba757bf72	ComponentDhcp.exe
File created	C:\Program Files\Windows Defender\fr-FR\69ddcba757bf72	ComponentDhcp.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\dwm.exe	ComponentDhcp.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system\services.exe	ComponentDhcp.exe
File created	C:\Windows\system\c5b4cb5e9653cc	ComponentDhcp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CD0FDBF184A188298A847D17AF361C7D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1680	schtasks.exe
1952	schtasks.exe
2348	schtasks.exe
2888	schtasks.exe
316	schtasks.exe
296	schtasks.exe
2308	schtasks.exe
1412	schtasks.exe
2620	schtasks.exe
2696	schtasks.exe
2812	schtasks.exe
1692	schtasks.exe
1872	schtasks.exe
1804	schtasks.exe
2936	schtasks.exe
2096	schtasks.exe
2944	schtasks.exe
2184	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe
2168	ComponentDhcp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2528	services.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2168	ComponentDhcp.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	920	powershell.exe
Token: SeDebugPrivilege	688	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	1140	powershell.exe
Token: SeDebugPrivilege	268	powershell.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	664	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	408	powershell.exe
Token: SeDebugPrivilege	940	powershell.exe
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	284	powershell.exe
Token: SeDebugPrivilege	984	powershell.exe
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeDebugPrivilege	2528	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2328	2548	CD0FDBF184A188298A847D17AF361C7D.exe	30
PID 2548 wrote to memory of 2328	2548	CD0FDBF184A188298A847D17AF361C7D.exe	30
PID 2548 wrote to memory of 2328	2548	CD0FDBF184A188298A847D17AF361C7D.exe	30
PID 2548 wrote to memory of 2328	2548	CD0FDBF184A188298A847D17AF361C7D.exe	30
PID 2328 wrote to memory of 2524	2328	WScript.exe	31
PID 2328 wrote to memory of 2524	2328	WScript.exe	31
PID 2328 wrote to memory of 2524	2328	WScript.exe	31
PID 2328 wrote to memory of 2524	2328	WScript.exe	31
PID 2524 wrote to memory of 2168	2524	cmd.exe	33
PID 2524 wrote to memory of 2168	2524	cmd.exe	33
PID 2524 wrote to memory of 2168	2524	cmd.exe	33
PID 2524 wrote to memory of 2168	2524	cmd.exe	33
PID 2168 wrote to memory of 2200	2168	ComponentDhcp.exe	39
PID 2168 wrote to memory of 2200	2168	ComponentDhcp.exe	39
PID 2168 wrote to memory of 2200	2168	ComponentDhcp.exe	39
PID 2200 wrote to memory of 1376	2200	csc.exe	41
PID 2200 wrote to memory of 1376	2200	csc.exe	41
PID 2200 wrote to memory of 1376	2200	csc.exe	41
PID 2168 wrote to memory of 2408	2168	ComponentDhcp.exe	57
PID 2168 wrote to memory of 2408	2168	ComponentDhcp.exe	57
PID 2168 wrote to memory of 2408	2168	ComponentDhcp.exe	57
PID 2168 wrote to memory of 984	2168	ComponentDhcp.exe	58
PID 2168 wrote to memory of 984	2168	ComponentDhcp.exe	58
PID 2168 wrote to memory of 984	2168	ComponentDhcp.exe	58
PID 2168 wrote to memory of 408	2168	ComponentDhcp.exe	59
PID 2168 wrote to memory of 408	2168	ComponentDhcp.exe	59
PID 2168 wrote to memory of 408	2168	ComponentDhcp.exe	59
PID 2168 wrote to memory of 1140	2168	ComponentDhcp.exe	60
PID 2168 wrote to memory of 1140	2168	ComponentDhcp.exe	60
PID 2168 wrote to memory of 1140	2168	ComponentDhcp.exe	60
PID 2168 wrote to memory of 1516	2168	ComponentDhcp.exe	61
PID 2168 wrote to memory of 1516	2168	ComponentDhcp.exe	61
PID 2168 wrote to memory of 1516	2168	ComponentDhcp.exe	61
PID 2168 wrote to memory of 1360	2168	ComponentDhcp.exe	62
PID 2168 wrote to memory of 1360	2168	ComponentDhcp.exe	62
PID 2168 wrote to memory of 1360	2168	ComponentDhcp.exe	62
PID 2168 wrote to memory of 284	2168	ComponentDhcp.exe	63
PID 2168 wrote to memory of 284	2168	ComponentDhcp.exe	63
PID 2168 wrote to memory of 284	2168	ComponentDhcp.exe	63
PID 2168 wrote to memory of 664	2168	ComponentDhcp.exe	64
PID 2168 wrote to memory of 664	2168	ComponentDhcp.exe	64
PID 2168 wrote to memory of 664	2168	ComponentDhcp.exe	64
PID 2168 wrote to memory of 2052	2168	ComponentDhcp.exe	65
PID 2168 wrote to memory of 2052	2168	ComponentDhcp.exe	65
PID 2168 wrote to memory of 2052	2168	ComponentDhcp.exe	65
PID 2168 wrote to memory of 2960	2168	ComponentDhcp.exe	66
PID 2168 wrote to memory of 2960	2168	ComponentDhcp.exe	66
PID 2168 wrote to memory of 2960	2168	ComponentDhcp.exe	66
PID 2168 wrote to memory of 1100	2168	ComponentDhcp.exe	67
PID 2168 wrote to memory of 1100	2168	ComponentDhcp.exe	67
PID 2168 wrote to memory of 1100	2168	ComponentDhcp.exe	67
PID 2168 wrote to memory of 1076	2168	ComponentDhcp.exe	68
PID 2168 wrote to memory of 1076	2168	ComponentDhcp.exe	68
PID 2168 wrote to memory of 1076	2168	ComponentDhcp.exe	68
PID 2168 wrote to memory of 2028	2168	ComponentDhcp.exe	69
PID 2168 wrote to memory of 2028	2168	ComponentDhcp.exe	69
PID 2168 wrote to memory of 2028	2168	ComponentDhcp.exe	69
PID 2168 wrote to memory of 940	2168	ComponentDhcp.exe	70
PID 2168 wrote to memory of 940	2168	ComponentDhcp.exe	70
PID 2168 wrote to memory of 940	2168	ComponentDhcp.exe	70
PID 2168 wrote to memory of 1388	2168	ComponentDhcp.exe	71
PID 2168 wrote to memory of 1388	2168	ComponentDhcp.exe	71
PID 2168 wrote to memory of 1388	2168	ComponentDhcp.exe	71
PID 2168 wrote to memory of 920	2168	ComponentDhcp.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\CD0FDBF184A188298A847D17AF361C7D.exe
"C:\Users\Admin\AppData\Local\Temp\CD0FDBF184A188298A847D17AF361C7D.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Hyperagentdll\LC7NSPPjwsbedY3MJ.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Hyperagentdll\BsaJdQYq8XACECtkLxbuW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Hyperagentdll\ComponentDhcp.exe
      "C:\Hyperagentdll/ComponentDhcp.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2168
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ua43wwqz\ua43wwqz.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2200
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE66.tmp" "c:\Windows\System32\CSC5FED73C45F4044F6A97844F80789A67.TMP"
        6⤵
        
        PID:1376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Hyperagentdll/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1360
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1076
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\fr-FR\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\system\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:920
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:268
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\ja-JP\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Hyperagentdll\ComponentDhcp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:688
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zs4CSoYdTq.bat"
        5⤵
        
        PID:2280
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:868
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1684
      - C:\Windows\system\services.exe
        
        "C:\Windows\system\services.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\fr-FR\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\fr-FR\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\system\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\system\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\system\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Google\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComponentDhcpC" /sc MINUTE /mo 9 /tr "'C:\Hyperagentdll\ComponentDhcp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComponentDhcp" /sc ONLOGON /tr "'C:\Hyperagentdll\ComponentDhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComponentDhcpC" /sc MINUTE /mo 14 /tr "'C:\Hyperagentdll\ComponentDhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Hyperagentdll\BsaJdQYq8XACECtkLxbuW.bat

Filesize
83B

MD5
ff4cfd867a098de6bb711fee46ab71f8

SHA1
0f9a4b8cbafd88088b32bef24ea4f21d8ddb8b5e

SHA256
978666a718f5416ab586100120a9ae873eec92589fe2ffdaa7fc16dd76c8a3e2

SHA512
f3b71b50fbab5f8ee6b99fe85890dd924df2475335ea13b75a401190cbb7a697abe88e49d1c63e79b5696145ed7139542e60a38713bd93e2400a15ac8ab1f4c4

Download Submit
C:\Hyperagentdll\LC7NSPPjwsbedY3MJ.vbe

Filesize
212B

MD5
1d9cb1ea67761522a044d5a9d63c1d30

SHA1
39669d5dbd1acaf3fe109bcd9b8be67c554dcdc7

SHA256
221a01a4eb128921422b8a383388776740d3a7b014deaf6c312c3bb0a7143ef3

SHA512
5c68ab7b8ef9229e2f2fa93716f3aa30c88aeac1ff80f53c4be81a8b192a019b0d4ba6f7c729c4148e64a88875d5fb35ca4965dddea375f2010f392e9ec93780

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCE66.tmp

Filesize
1KB

MD5
0abf58467419b5e4c7f4d7279152b52a

SHA1
450719adb317efa8e704848054b4d676ddeb8a8d

SHA256
7dcf1d070a2e287e5769c3b068c521e443a886e18477fd7fccca4fea52a39bfc

SHA512
b07f8452e98b0471fb143f69bbe59dfbaf916de709d986ceaf6b4e4e84da77b30e75553bc511132a4e3eb835520167b6b9e971baf665e6ee120d0560bbc4e564

Download Submit
C:\Users\Admin\AppData\Local\Temp\zs4CSoYdTq.bat

Filesize
206B

MD5
56a39c6b4ac44b6eaa54ce9050d5eb66

SHA1
fee5f5a689f860c679c4273a7bb687225935e5eb

SHA256
eafaf59cd66cdcf8aa227ffe1e8ea39919f5d05f7513aaf4e998c23ac9d24198

SHA512
6a2355fd3ee360b5fc065e01a0bc93d07c640ac22eadc299c7a8168a1b8d53ae1b19bc0173b532200877fc0c6c679919e0ea153af6926ac693d3c35a09112a8c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
06ec562937d8e81a7c2cd957031eccf1

SHA1
17d6405252e3ffed2d0f880078310b840610ac20

SHA256
b20662e550c907ceccdc934065bbfba8927c0bc77d40e32765959431f4127caf

SHA512
e535529c2753657a5170e5655c4980ca52b61d13db5efcbd535f136d85456943c0de37e20f9c4fcef7c9ac44672de1f020fa4626537d805e7213aad35033950d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ua43wwqz\ua43wwqz.0.cs

Filesize
397B

MD5
69c98b98f4080ee0a0bb8c914ddcfd34

SHA1
4d1f76d20ff40ce8b76361f83fc9b3569d3d0afd

SHA256
3f4397e34b503aa0c643261883bc8e8e7bbad93d1c02105a8ecb96e3bc1cd155

SHA512
327f8eab6f703317798cd9397bd1fc47be70fa974d4621281f2365c7338ce39f1f1f344145977b6b8c00c5f1558a536d478c8f165f245f9cc860473523867bc2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ua43wwqz\ua43wwqz.cmdline

Filesize
235B

MD5
fc1105c86ab3c29ed72bd22a228a2383

SHA1
3d60353b8cadd1e95b8a7049c1f6542e2b719f17

SHA256
601ef78286ac06daf462d079b8e3aef84e6a66a3895a5d30929c68ea53fc314e

SHA512
fe5b5970d223aaff974c86e2f8728d39c8565cadb603522f86bf2f410e4ede911b49166b8450f419ebc15f6a1bbe5198415be8f299fa9ce374a05c366e464645

Download Submit
\??\c:\Windows\System32\CSC5FED73C45F4044F6A97844F80789A67.TMP

Filesize
1KB

MD5
9446a6998523ec187daa3d79bec9c8fa

SHA1
16c7f73aef03c8a15b4d9e8b1cfa5183caf7ca96

SHA256
f55f1bd2c1246cfb3b60cd8649fcc78b3837896bdf5132d6fc8ea0ecabf892d7

SHA512
fac3ad1b0c8663aaa94cd66b6ea0aa1848e570ff4a22b709cf2696abb76e28f42fb0d2a74316a7ad86bb6216177013c6b71ce2f4df139edc3054a03ee3467c9d

Download Submit
\Hyperagentdll\ComponentDhcp.exe

Filesize
1.9MB

MD5
38c14805a17436bc0118dfaa6547eec0

SHA1
77ee261fd0d14577058bd1114bfd4a34aa0990e6

SHA256
afe966f7d7d027792cc718eba58d9ee3e7b2929e9cb3eed8902537d8c375e081

SHA512
bfec5fa0c4d45ebcc26bf18f3ccf0ea9b6bc6de62ce1ddfc012ef69f42c2bf45d90a3dc5f6537e62e6d0e30247eb0c2b5495249b01d0b158b6a73dd29e657754

Download Submit
memory/2168-15-0x0000000000180000-0x000000000018E000-memory.dmp

Filesize
56KB

Download
memory/2168-25-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2168-23-0x00000000003E0000-0x00000000003EE000-memory.dmp

Filesize
56KB

Download
memory/2168-21-0x00000000003D0000-0x00000000003DE000-memory.dmp

Filesize
56KB

Download
memory/2168-19-0x00000000003B0000-0x00000000003C8000-memory.dmp

Filesize
96KB

Download
memory/2168-17-0x0000000000190000-0x00000000001AC000-memory.dmp

Filesize
112KB

Download
memory/2168-13-0x0000000001060000-0x0000000001252000-memory.dmp

Filesize
1.9MB

Download
memory/2408-58-0x0000000002070000-0x0000000002078000-memory.dmp

Filesize
32KB

Download
memory/2408-57-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/2528-151-0x0000000000880000-0x0000000000A72000-memory.dmp

Filesize
1.9MB

Download