dcrat | 741e00a1f7ef7e5fe69144adfb6023fe14d29ddcd1b9982a3ebcbced6748e8fc

Analysis

max time kernel
143s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-10-2024 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

741e00a1f7ef7e5fe69144adfb6023fe14d29ddcd1b9982a3ebcbced6748e8fc.exe
Size

2.2MB
MD5

cd0fdbf184a188298a847d17af361c7d
SHA1

d6394498b1dc80e93010b835940a463383bcf08a
SHA256

741e00a1f7ef7e5fe69144adfb6023fe14d29ddcd1b9982a3ebcbced6748e8fc
SHA512

08f5bcd179e16dc5bbc392bd70af00925e17e307de2c11b8f247b00f961f4d7861e6d52073ccac08bd48488f884c0b34154788062bfb799593c9546c6b173461
SSDEEP

24576:2TbBv5rUyXVf7/weHc1lJq2tB/pw97SSwEWJSwDFrs7+6pa7gv6a9MrYetY5Q62w:IBJTqpji7SxFgz7XM7metv6s2N8WT

Score

10^/10

dcrat discovery execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\services.exe\", \"C:\\Windows\\debug\\WIA\\ComponentDhcp.exe\", \"C:\\Users\\Admin\\Saved Games\\OSPPSVC.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\winlogon.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\services.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\services.exe\", \"C:\\Windows\\debug\\WIA\\ComponentDhcp.exe\", \"C:\\Users\\Admin\\Saved Games\\OSPPSVC.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\winlogon.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\services.exe\", \"C:\\Hyperagentdll\\ComponentDhcp.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\services.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\services.exe\", \"C:\\Windows\\debug\\WIA\\ComponentDhcp.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\services.exe\", \"C:\\Windows\\debug\\WIA\\ComponentDhcp.exe\", \"C:\\Users\\Admin\\Saved Games\\OSPPSVC.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\services.exe\", \"C:\\Windows\\debug\\WIA\\ComponentDhcp.exe\", \"C:\\Users\\Admin\\Saved Games\\OSPPSVC.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\winlogon.exe\""	ComponentDhcp.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	3020	schtasks.exe	34

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3064	powershell.exe
1976	powershell.exe
2500	powershell.exe
2000	powershell.exe
1472	powershell.exe
2360	powershell.exe
2232	powershell.exe
2240	powershell.exe
2052	powershell.exe
876	powershell.exe
2336	powershell.exe
676	powershell.exe
988	powershell.exe
2108	powershell.exe
1992	powershell.exe
2424	powershell.exe
1284	powershell.exe
1800	powershell.exe
2060	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2736	ComponentDhcp.exe
1768	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
2776	cmd.exe
2776	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\ComponentDhcp = "\"C:\\Windows\\debug\\WIA\\ComponentDhcp.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ComponentDhcp = "\"C:\\Windows\\debug\\WIA\\ComponentDhcp.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Users\\Admin\\Saved Games\\OSPPSVC.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Users\\Admin\\Saved Games\\OSPPSVC.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\services.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ComponentDhcp = "\"C:\\Hyperagentdll\\ComponentDhcp.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Microsoft Office\\Office14\\1033\\services.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Microsoft Office\\Office14\\1033\\services.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\winlogon.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\winlogon.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\services.exe\""	ComponentDhcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\ComponentDhcp = "\"C:\\Hyperagentdll\\ComponentDhcp.exe\""	ComponentDhcp.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\byyuy-.exe	csc.exe
File created	\??\c:\Windows\System32\CSC46009D3A691549F58ECFCB85312BD1AE.TMP	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\Office14\1033\services.exe	ComponentDhcp.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\c5b4cb5e9653cc	ComponentDhcp.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\debug\WIA\ComponentDhcp.exe	ComponentDhcp.exe
File created	C:\Windows\debug\WIA\6cb19de3a42d42	ComponentDhcp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	741e00a1f7ef7e5fe69144adfb6023fe14d29ddcd1b9982a3ebcbced6748e8fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2324	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2324	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2756	schtasks.exe
1296	schtasks.exe
2144	schtasks.exe
2828	schtasks.exe
2312	schtasks.exe
2184	schtasks.exe
2896	schtasks.exe
2856	schtasks.exe
992	schtasks.exe
1960	schtasks.exe
2860	schtasks.exe
2584	schtasks.exe
532	schtasks.exe
932	schtasks.exe
1096	schtasks.exe
2116	schtasks.exe
2344	schtasks.exe
2980	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe
2736	ComponentDhcp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1768	winlogon.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	ComponentDhcp.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	676	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	988	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	1768	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2820	2640	741e00a1f7ef7e5fe69144adfb6023fe14d29ddcd1b9982a3ebcbced6748e8fc.exe	30
PID 2640 wrote to memory of 2820	2640	741e00a1f7ef7e5fe69144adfb6023fe14d29ddcd1b9982a3ebcbced6748e8fc.exe	30
PID 2640 wrote to memory of 2820	2640	741e00a1f7ef7e5fe69144adfb6023fe14d29ddcd1b9982a3ebcbced6748e8fc.exe	30
PID 2640 wrote to memory of 2820	2640	741e00a1f7ef7e5fe69144adfb6023fe14d29ddcd1b9982a3ebcbced6748e8fc.exe	30
PID 2820 wrote to memory of 2776	2820	WScript.exe	31
PID 2820 wrote to memory of 2776	2820	WScript.exe	31
PID 2820 wrote to memory of 2776	2820	WScript.exe	31
PID 2820 wrote to memory of 2776	2820	WScript.exe	31
PID 2776 wrote to memory of 2736	2776	cmd.exe	33
PID 2776 wrote to memory of 2736	2776	cmd.exe	33
PID 2776 wrote to memory of 2736	2776	cmd.exe	33
PID 2776 wrote to memory of 2736	2776	cmd.exe	33
PID 2736 wrote to memory of 1240	2736	ComponentDhcp.exe	38
PID 2736 wrote to memory of 1240	2736	ComponentDhcp.exe	38
PID 2736 wrote to memory of 1240	2736	ComponentDhcp.exe	38
PID 1240 wrote to memory of 2524	1240	csc.exe	40
PID 1240 wrote to memory of 2524	1240	csc.exe	40
PID 1240 wrote to memory of 2524	1240	csc.exe	40
PID 2736 wrote to memory of 3064	2736	ComponentDhcp.exe	56
PID 2736 wrote to memory of 3064	2736	ComponentDhcp.exe	56
PID 2736 wrote to memory of 3064	2736	ComponentDhcp.exe	56
PID 2736 wrote to memory of 1976	2736	ComponentDhcp.exe	57
PID 2736 wrote to memory of 1976	2736	ComponentDhcp.exe	57
PID 2736 wrote to memory of 1976	2736	ComponentDhcp.exe	57
PID 2736 wrote to memory of 2360	2736	ComponentDhcp.exe	58
PID 2736 wrote to memory of 2360	2736	ComponentDhcp.exe	58
PID 2736 wrote to memory of 2360	2736	ComponentDhcp.exe	58
PID 2736 wrote to memory of 2232	2736	ComponentDhcp.exe	59
PID 2736 wrote to memory of 2232	2736	ComponentDhcp.exe	59
PID 2736 wrote to memory of 2232	2736	ComponentDhcp.exe	59
PID 2736 wrote to memory of 2240	2736	ComponentDhcp.exe	60
PID 2736 wrote to memory of 2240	2736	ComponentDhcp.exe	60
PID 2736 wrote to memory of 2240	2736	ComponentDhcp.exe	60
PID 2736 wrote to memory of 1992	2736	ComponentDhcp.exe	61
PID 2736 wrote to memory of 1992	2736	ComponentDhcp.exe	61
PID 2736 wrote to memory of 1992	2736	ComponentDhcp.exe	61
PID 2736 wrote to memory of 2424	2736	ComponentDhcp.exe	62
PID 2736 wrote to memory of 2424	2736	ComponentDhcp.exe	62
PID 2736 wrote to memory of 2424	2736	ComponentDhcp.exe	62
PID 2736 wrote to memory of 2052	2736	ComponentDhcp.exe	63
PID 2736 wrote to memory of 2052	2736	ComponentDhcp.exe	63
PID 2736 wrote to memory of 2052	2736	ComponentDhcp.exe	63
PID 2736 wrote to memory of 2336	2736	ComponentDhcp.exe	64
PID 2736 wrote to memory of 2336	2736	ComponentDhcp.exe	64
PID 2736 wrote to memory of 2336	2736	ComponentDhcp.exe	64
PID 2736 wrote to memory of 1284	2736	ComponentDhcp.exe	65
PID 2736 wrote to memory of 1284	2736	ComponentDhcp.exe	65
PID 2736 wrote to memory of 1284	2736	ComponentDhcp.exe	65
PID 2736 wrote to memory of 1800	2736	ComponentDhcp.exe	66
PID 2736 wrote to memory of 1800	2736	ComponentDhcp.exe	66
PID 2736 wrote to memory of 1800	2736	ComponentDhcp.exe	66
PID 2736 wrote to memory of 676	2736	ComponentDhcp.exe	67
PID 2736 wrote to memory of 676	2736	ComponentDhcp.exe	67
PID 2736 wrote to memory of 676	2736	ComponentDhcp.exe	67
PID 2736 wrote to memory of 988	2736	ComponentDhcp.exe	68
PID 2736 wrote to memory of 988	2736	ComponentDhcp.exe	68
PID 2736 wrote to memory of 988	2736	ComponentDhcp.exe	68
PID 2736 wrote to memory of 2108	2736	ComponentDhcp.exe	69
PID 2736 wrote to memory of 2108	2736	ComponentDhcp.exe	69
PID 2736 wrote to memory of 2108	2736	ComponentDhcp.exe	69
PID 2736 wrote to memory of 2500	2736	ComponentDhcp.exe	70
PID 2736 wrote to memory of 2500	2736	ComponentDhcp.exe	70
PID 2736 wrote to memory of 2500	2736	ComponentDhcp.exe	70
PID 2736 wrote to memory of 2060	2736	ComponentDhcp.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\741e00a1f7ef7e5fe69144adfb6023fe14d29ddcd1b9982a3ebcbced6748e8fc.exe
"C:\Users\Admin\AppData\Local\Temp\741e00a1f7ef7e5fe69144adfb6023fe14d29ddcd1b9982a3ebcbced6748e8fc.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Hyperagentdll\LC7NSPPjwsbedY3MJ.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Hyperagentdll\BsaJdQYq8XACECtkLxbuW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Hyperagentdll\ComponentDhcp.exe
      "C:\Hyperagentdll/ComponentDhcp.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rd4nkd4w\rd4nkd4w.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1240
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5C24.tmp" "c:\Windows\System32\CSC46009D3A691549F58ECFCB85312BD1AE.TMP"
        6⤵
        
        PID:2524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Hyperagentdll/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\WIA\ComponentDhcp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Saved Games\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1472
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Hyperagentdll\ComponentDhcp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XYeoBgYtJ7.bat"
        5⤵
        
        PID:1872
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1096
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2324
      - C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office14\1033\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\Office14\1033\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComponentDhcpC" /sc MINUTE /mo 6 /tr "'C:\Windows\debug\WIA\ComponentDhcp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComponentDhcp" /sc ONLOGON /tr "'C:\Windows\debug\WIA\ComponentDhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComponentDhcpC" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\WIA\ComponentDhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Saved Games\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Saved Games\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComponentDhcpC" /sc MINUTE /mo 12 /tr "'C:\Hyperagentdll\ComponentDhcp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComponentDhcp" /sc ONLOGON /tr "'C:\Hyperagentdll\ComponentDhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComponentDhcpC" /sc MINUTE /mo 12 /tr "'C:\Hyperagentdll\ComponentDhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Hyperagentdll\BsaJdQYq8XACECtkLxbuW.bat

Filesize
83B

MD5
ff4cfd867a098de6bb711fee46ab71f8

SHA1
0f9a4b8cbafd88088b32bef24ea4f21d8ddb8b5e

SHA256
978666a718f5416ab586100120a9ae873eec92589fe2ffdaa7fc16dd76c8a3e2

SHA512
f3b71b50fbab5f8ee6b99fe85890dd924df2475335ea13b75a401190cbb7a697abe88e49d1c63e79b5696145ed7139542e60a38713bd93e2400a15ac8ab1f4c4

Download Submit
C:\Hyperagentdll\LC7NSPPjwsbedY3MJ.vbe

Filesize
212B

MD5
1d9cb1ea67761522a044d5a9d63c1d30

SHA1
39669d5dbd1acaf3fe109bcd9b8be67c554dcdc7

SHA256
221a01a4eb128921422b8a383388776740d3a7b014deaf6c312c3bb0a7143ef3

SHA512
5c68ab7b8ef9229e2f2fa93716f3aa30c88aeac1ff80f53c4be81a8b192a019b0d4ba6f7c729c4148e64a88875d5fb35ca4965dddea375f2010f392e9ec93780

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5C24.tmp

Filesize
1KB

MD5
e5f4d98ed7e5725a9bb7aad7847459f1

SHA1
a03b78028371b4936f79f96f001c739ddde57a06

SHA256
801124cef601cbcc7fe11817c1aa3c58bbd20e1107862cdfa2902a34e962417e

SHA512
50be484f05136ec38521c04ba1f60ed0e7e3f8dc467633bb6b08eccf0505dd786f3d885b89a6453ccfa8238a7b98edc83b7761054091a78d929889b47c8a3481

Download Submit
C:\Users\Admin\AppData\Local\Temp\XYeoBgYtJ7.bat

Filesize
189B

MD5
b2678f27f23fc17ec6ff0afb83f55bb4

SHA1
1cf4e622af3008c3583d873bf9a67bcf9bd71b88

SHA256
3bd2e69182a9481bd07bc04d590f44ec00381edef9aedf212da4fb3bcb492dd9

SHA512
dd786e4b79ce5e2220ecbff6e7d1c1d73eb32b87e25446a2569a07691e01c87ff045334c0b0f23f2cb94d7b62e580513c4446ff04315a92d14f132e9037f1120

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f23fbe91a33bc3ff7b5d4dbd44e096f6

SHA1
2d4ec3ada086faa466cf23a668224d8a260c1224

SHA256
e686d6678e6b885c66af7f1cdfbebcc5698de66a1d8ee072b14e7d616a8e320b

SHA512
099bf10514db76661d4bf6c76821641af1bcde84e0cc46916073f99afd22fcf3a582e253ad0cb68f0f29eb0fb92d0b329394047e361f9229739b354586429c74

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rd4nkd4w\rd4nkd4w.0.cs

Filesize
392B

MD5
98ac9fe61ac5466cc5b1f8fc0792aba4

SHA1
1ab900e605971abfeeacd7547e242417f73da3b2

SHA256
ca70dc3e39f8fb3a806f4a909515a30f99cfb15efc2e22194a47210887913296

SHA512
094bda1fb215ddba0aa4162695bcec005aadce69010b043b9514672ceec7ce62d6bfc0eca1b3f606bd533be1f1a51976c3a51502735dcca41daef18444541986

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rd4nkd4w\rd4nkd4w.cmdline

Filesize
235B

MD5
bef4d0981e6eaeaf940f2e4bb99bdf94

SHA1
1d70e76256183b1da439a693c068d869cb73e34d

SHA256
bdeda77080ee3f98c203dcb591f94c9606828e3a220c97a20b8a050e29a9b72e

SHA512
632c5cd9700acef4cedcab91698a0e454a1d3125225734c50f9067d559414ea58e1011c9c2bc0b02f4260580721524658e1dde79206933ed322f43174aa5a686

Download Submit
\??\c:\Windows\System32\CSC46009D3A691549F58ECFCB85312BD1AE.TMP

Filesize
1KB

MD5
078586b266e519b5c113064d7a0bf45c

SHA1
a9395c0ef35add5c75591ebb94c85c1f33f408bf

SHA256
ccf292ff9f142b204ad4f4481a044ba8f9ab274305dcb604bf0b8ae91819ab1e

SHA512
5b8eb6aad62657309088c4668d633c2aa6324d4824ec32c3c5e133df0a5493a4342c980e077ba565f3aab29c58f95c8db7195415a1e554384405c1457730f959

Download Submit
\Hyperagentdll\ComponentDhcp.exe

Filesize
1.9MB

MD5
38c14805a17436bc0118dfaa6547eec0

SHA1
77ee261fd0d14577058bd1114bfd4a34aa0990e6

SHA256
afe966f7d7d027792cc718eba58d9ee3e7b2929e9cb3eed8902537d8c375e081

SHA512
bfec5fa0c4d45ebcc26bf18f3ccf0ea9b6bc6de62ce1ddfc012ef69f42c2bf45d90a3dc5f6537e62e6d0e30247eb0c2b5495249b01d0b158b6a73dd29e657754

Download Submit
memory/1768-149-0x0000000000090000-0x0000000000282000-memory.dmp

Filesize
1.9MB

Download
memory/2052-59-0x0000000002A00000-0x0000000002A08000-memory.dmp

Filesize
32KB

Download
memory/2052-58-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download
memory/2736-15-0x00000000003F0000-0x00000000003FE000-memory.dmp

Filesize
56KB

Download
memory/2736-25-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/2736-23-0x00000000004F0000-0x00000000004FE000-memory.dmp

Filesize
56KB

Download
memory/2736-21-0x0000000000410000-0x000000000041E000-memory.dmp

Filesize
56KB

Download
memory/2736-19-0x00000000004D0000-0x00000000004E8000-memory.dmp

Filesize
96KB

Download
memory/2736-17-0x00000000004B0000-0x00000000004CC000-memory.dmp

Filesize
112KB

Download
memory/2736-13-0x0000000001190000-0x0000000001382000-memory.dmp

Filesize
1.9MB

Download