dcrat | da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28

Analysis

max time kernel
19s
max time network
154s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-11-2024 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
Size

4.9MB
MD5

adea3d5a416c1452e6c572b162983622
SHA1

e2ba3ad5285a08d6681c410b7e3cb313356fd6d0
SHA256

da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28
SHA512

9631b55139a134fd96ad39b3a355d10b49a20cfb00aa0ed6452dd17596815baefe0d20d89cae82933d59eea28286b02b7b92138b85257e39593ad12de8ff860a
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	2900	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exewinlogon.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2136-3-0x000000001B140000-0x000000001B26E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1420	powershell.exe
1616	powershell.exe
1312	powershell.exe
1644	powershell.exe
3048	powershell.exe
1476	powershell.exe
2352	powershell.exe
2824	powershell.exe
2788	powershell.exe
2704	powershell.exe
764	powershell.exe
1904	powershell.exe

Executes dropped EXE 1 IoCs

Processes:

winlogon.exe

pid process

2296 winlogon.exe

pid	process
2296	winlogon.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exewinlogon.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Drops file in Program Files directory 8 IoCs

Processes:

da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\smss.exe	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCX917B.tmp	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
File opened for modification	C:\Program Files\7-Zip\Lang\winlogon.exe	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\smss.exe	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\69ddcba757bf72	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
File created	C:\Program Files\7-Zip\Lang\winlogon.exe	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
File created	C:\Program Files\7-Zip\Lang\cc11b995f2a76d	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\RCX8CF6.tmp	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2776	schtasks.exe
2636	schtasks.exe
2220	schtasks.exe
576	schtasks.exe
1080	schtasks.exe
1896	schtasks.exe
2828	schtasks.exe
2168	schtasks.exe
1196	schtasks.exe
2124	schtasks.exe
2600	schtasks.exe
2728	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewinlogon.exe

pid	process
2136	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
2136	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
2136	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
2824	powershell.exe
1476	powershell.exe
1420	powershell.exe
1644	powershell.exe
1904	powershell.exe
1312	powershell.exe
1616	powershell.exe
2352	powershell.exe
764	powershell.exe
3048	powershell.exe
2704	powershell.exe
2788	powershell.exe
2296	winlogon.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2136	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	1904	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	764	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	2296	winlogon.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exewinlogon.exe

description	pid	process	target process
PID 2136 wrote to memory of 2352	2136	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	powershell.exe
PID 2136 wrote to memory of 2352	2136	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	powershell.exe
PID 2136 wrote to memory of 2352	2136	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	powershell.exe
PID 2136 wrote to memory of 1420	2136	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	powershell.exe
PID 2136 wrote to memory of 1420	2136	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	powershell.exe
PID 2136 wrote to memory of 1420	2136	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	powershell.exe
PID 2136 wrote to memory of 2824	2136	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	powershell.exe
PID 2136 wrote to memory of 2824	2136	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	powershell.exe
PID 2136 wrote to memory of 2824	2136	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	powershell.exe
PID 2136 wrote to memory of 1616	2136	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	powershell.exe
PID 2136 wrote to memory of 1616	2136	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	powershell.exe
PID 2136 wrote to memory of 1616	2136	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	powershell.exe
PID 2136 wrote to memory of 1904	2136	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	powershell.exe
PID 2136 wrote to memory of 1904	2136	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	powershell.exe
PID 2136 wrote to memory of 1904	2136	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	powershell.exe
PID 2136 wrote to memory of 1476	2136	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	powershell.exe
PID 2136 wrote to memory of 1476	2136	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	powershell.exe
PID 2136 wrote to memory of 1476	2136	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	powershell.exe
PID 2136 wrote to memory of 764	2136	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	powershell.exe
PID 2136 wrote to memory of 764	2136	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	powershell.exe
PID 2136 wrote to memory of 764	2136	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	powershell.exe
PID 2136 wrote to memory of 2704	2136	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	powershell.exe
PID 2136 wrote to memory of 2704	2136	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	powershell.exe
PID 2136 wrote to memory of 2704	2136	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	powershell.exe
PID 2136 wrote to memory of 2788	2136	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	powershell.exe
PID 2136 wrote to memory of 2788	2136	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	powershell.exe
PID 2136 wrote to memory of 2788	2136	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	powershell.exe
PID 2136 wrote to memory of 3048	2136	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	powershell.exe
PID 2136 wrote to memory of 3048	2136	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	powershell.exe
PID 2136 wrote to memory of 3048	2136	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	powershell.exe
PID 2136 wrote to memory of 1312	2136	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	powershell.exe
PID 2136 wrote to memory of 1312	2136	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	powershell.exe
PID 2136 wrote to memory of 1312	2136	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	powershell.exe
PID 2136 wrote to memory of 1644	2136	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	powershell.exe
PID 2136 wrote to memory of 1644	2136	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	powershell.exe
PID 2136 wrote to memory of 1644	2136	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	powershell.exe
PID 2136 wrote to memory of 2296	2136	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	winlogon.exe
PID 2136 wrote to memory of 2296	2136	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	winlogon.exe
PID 2136 wrote to memory of 2296	2136	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	winlogon.exe
PID 2296 wrote to memory of 2572	2296	winlogon.exe	WScript.exe
PID 2296 wrote to memory of 2572	2296	winlogon.exe	WScript.exe
PID 2296 wrote to memory of 2572	2296	winlogon.exe	WScript.exe
PID 2296 wrote to memory of 1080	2296	winlogon.exe	WScript.exe
PID 2296 wrote to memory of 1080	2296	winlogon.exe	WScript.exe
PID 2296 wrote to memory of 1080	2296	winlogon.exe	WScript.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

winlogon.exeda191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
"C:\Users\Admin\AppData\Local\Temp\da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1644
- C:\Program Files\7-Zip\Lang\winlogon.exe
  "C:\Program Files\7-Zip\Lang\winlogon.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2296
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b2b42ed-4658-4f7f-a3a5-2e24f7ade049.vbs"
    3⤵
    PID:2572
  - - C:\Program Files\7-Zip\Lang\winlogon.exe
      "C:\Program Files\7-Zip\Lang\winlogon.exe"
      4⤵
      PID:2420
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19be8845-b048-4cd9-9282-e65d567e9268.vbs"
        5⤵
        
        PID:2716
      - C:\Program Files\7-Zip\Lang\winlogon.exe
        
        "C:\Program Files\7-Zip\Lang\winlogon.exe"
        6⤵
        
        PID:972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2911765c-0bcf-4bbe-87d3-e510ae8023bb.vbs"
        7⤵
        
        PID:1772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8dc81509-80eb-4b04-8f35-34761ad9b0bb.vbs"
        7⤵
        
        PID:1644
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64b73f56-897a-4faa-ad51-ae7e7e8fa6bb.vbs"
        5⤵
        
        PID:1004
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4120383-bc30-4409-a81b-16e1aee36b44.vbs"
    3⤵
    PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\winlogon.exe

Filesize
2.9MB

MD5
aa3274779d2e668887478cdf297f7489

SHA1
114ee1b3e61d57e22655a9c829bc451b7071fe6f

SHA256
cb93fa13378aac38051b64d6b571533bc9a3394a868111d36cd5d2e0bbcc760f

SHA512
5fc200d01c4604884eb12d154c78a34baed1aad4734e0fcc66b18b203e16d763d619f0178cae3fd53b8a574261c65c21728f0b4eb402a80ee4fbf2ecffbf6d4f

Download Submit
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe

Filesize
4.9MB

MD5
adea3d5a416c1452e6c572b162983622

SHA1
e2ba3ad5285a08d6681c410b7e3cb313356fd6d0

SHA256
da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28

SHA512
9631b55139a134fd96ad39b3a355d10b49a20cfb00aa0ed6452dd17596815baefe0d20d89cae82933d59eea28286b02b7b92138b85257e39593ad12de8ff860a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10770bd47368861c1bd3fed1700d203ad75762c4.exe

Filesize
2.4MB

MD5
d01257a00f9d728265b2df6ba00caad6

SHA1
80eb3a13f94c9703a1f4a4cdfae64a1522ce562d

SHA256
f6879696a7928d7f014dafe8f892801362700a9e010e30b7846c72570606e094

SHA512
e431a65c5a591cc7bbf3df02d1dcb2415e3f90f7695d7df08a7333b63e3f92406841906d933887339b5d975f26b4efae5b7b93ed061b6988f87ae58e1d2b3e9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\19be8845-b048-4cd9-9282-e65d567e9268.vbs

Filesize
716B

MD5
3e92a2d1c23772ae097ceb4925f14225

SHA1
fbc2ff7a2eebe5e21ac56c884b02fdb709518a72

SHA256
f7db637a5b12de9ba3f3c5121232062dfb074323dfd085ecd26e78a8ba4e5aeb

SHA512
248a2166c0b75838301c92ba8995a9a9a1ef0a82e814fdab3e01dc49ef286c20f94366a7b50c3e26f0853ca5b58b303a2103482b5ca48d98a33ceeb636c06ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\2911765c-0bcf-4bbe-87d3-e510ae8023bb.vbs

Filesize
715B

MD5
1a690edf60269abf60b4ef8ad956b5d3

SHA1
886ee60e09e1f89496ba25bd0f31db25302730b3

SHA256
cadc7ce9624cff79b337253805773c91ff3a3dfc1fdc522981e65f5269676f65

SHA512
eec6b5494c4060d8702a43d4711064bbd36d4cbd213fd05f00547a3e98f2a8cf26ef0626f0abbb0c8205f3686d6a5bf3ba27a216bd301cfc4ba80ea2ed98f11d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b2b42ed-4658-4f7f-a3a5-2e24f7ade049.vbs

Filesize
716B

MD5
8cdd0cf4a9fa18b686cac6c5e4f288f2

SHA1
e5cdabd58f81746e8dadb82e681f5945e917b8e4

SHA256
2ad2cfb6251efc131e3177d45d766a74b90662ebbcb49b1aa1e03255894bb605

SHA512
05aff43eb6e59b1436730e116b8c188bc33b73a633174b71ec19f9a4142a56e63f9c4fc1a15ba04ab3388648864b2097cd1d51f97313ad5f7345d377c93bea7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\c4120383-bc30-4409-a81b-16e1aee36b44.vbs

Filesize
492B

MD5
49cc4b4eabd60e20ae8fee4ff3daa514

SHA1
22c7874ed50d8be3d3ef48202cd7cf4770830aeb

SHA256
46fbaa5b2e80b920ac88f9583f0a8d4059db155cb26d3aa7ff3556ffd827f565

SHA512
43f3cba61608f812be4b8e7e3b31b0e5c2bd87cdd18a22bf0c8caff467f9911720d01cc885474a7bde874094b67417845247ac58194112eba6ce6f7f8c007e43

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA3AF.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f64453a85584598a82e50279486d58fe

SHA1
98658981671524bbf7437cf06979e63e4f941cd6

SHA256
67778b17a1ff3f0be392c6d86025593f8df271408e6a2dadc7de1acce37093f9

SHA512
68944d91f4838a25f3bff6d21617735ad8a9c8dd7d93abd050c4622924a6b1cde1583eb34ffa7c2ad013e8743ea694e064a33020979c2d725912b0eb0c27c991

Download Submit
memory/972-154-0x0000000000610000-0x0000000000622000-memory.dmp

Filesize
72KB

Download
memory/1476-98-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/2136-8-0x0000000000AE0000-0x0000000000AF0000-memory.dmp

Filesize
64KB

Download
memory/2136-68-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2136-13-0x0000000002660000-0x000000000266E000-memory.dmp

Filesize
56KB

Download
memory/2136-14-0x0000000002670000-0x0000000002678000-memory.dmp

Filesize
32KB

Download
memory/2136-15-0x0000000002680000-0x0000000002688000-memory.dmp

Filesize
32KB

Download
memory/2136-16-0x0000000002690000-0x000000000269C000-memory.dmp

Filesize
48KB

Download
memory/2136-11-0x00000000025C0000-0x00000000025CA000-memory.dmp

Filesize
40KB

Download
memory/2136-1-0x0000000000130000-0x0000000000624000-memory.dmp

Filesize
5.0MB

Download
memory/2136-10-0x0000000000B00000-0x0000000000B12000-memory.dmp

Filesize
72KB

Download
memory/2136-9-0x0000000000AF0000-0x0000000000AFA000-memory.dmp

Filesize
40KB

Download
memory/2136-2-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2136-12-0x0000000002650000-0x000000000265E000-memory.dmp

Filesize
56KB

Download
memory/2136-3-0x000000001B140000-0x000000001B26E000-memory.dmp

Filesize
1.2MB

Download
memory/2136-0-0x000007FEF5883000-0x000007FEF5884000-memory.dmp

Filesize
4KB

Download
memory/2136-7-0x0000000000AC0000-0x0000000000AD6000-memory.dmp

Filesize
88KB

Download
memory/2136-5-0x0000000000900000-0x0000000000908000-memory.dmp

Filesize
32KB

Download
memory/2136-4-0x0000000000A90000-0x0000000000AAC000-memory.dmp

Filesize
112KB

Download
memory/2136-6-0x0000000000AB0000-0x0000000000AC0000-memory.dmp

Filesize
64KB

Download
memory/2296-125-0x0000000000B50000-0x0000000000B62000-memory.dmp

Filesize
72KB

Download
memory/2296-62-0x0000000000E20000-0x0000000001314000-memory.dmp

Filesize
5.0MB

Download
memory/2420-139-0x00000000012E0000-0x00000000017D4000-memory.dmp

Filesize
5.0MB

Download
memory/2824-69-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download