dcrat | 725cac30bc1f807136d69a9845a5cef1610194da8d9e76d1920d1c53ead8e8c7

Analysis

max time kernel
51s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-11-2024 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

725cac30bc1f807136d69a9845a5cef1610194da8d9e76d1920d1c53ead8e8c7N.exe
Size

2.2MB
MD5

6635e1b3e034061323a0c58b7e603300
SHA1

590d818073040f7536b56d23697c216e01d625f8
SHA256

725cac30bc1f807136d69a9845a5cef1610194da8d9e76d1920d1c53ead8e8c7
SHA512

f388421b20d2e5d56b4e0809ce82485d1e717c10c07e821a10cb7724dd3ebdb780bf67b89de336bd5fd973d94956b4e571a95ecb2e623200e6e39d09981c3a72
SSDEEP

49152:IBJEtknqMuqTELtvmUfSz4mTkqUBrWsSMTm:yutkSqQpvmUK4mg1ys8

Score

10^/10

dcrat discovery evasion execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\dwm.exe\""	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\dwm.exe\", \"C:\\Users\\All Users\\Application Data\\csrss.exe\""	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\dwm.exe\", \"C:\\Users\\All Users\\Application Data\\csrss.exe\", \"C:\\Program Files\\Windows Defender\\spoolsv.exe\""	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\dwm.exe\", \"C:\\Users\\All Users\\Application Data\\csrss.exe\", \"C:\\Program Files\\Windows Defender\\spoolsv.exe\", \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\taskhost.exe\""	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\dwm.exe\", \"C:\\Users\\All Users\\Application Data\\csrss.exe\", \"C:\\Program Files\\Windows Defender\\spoolsv.exe\", \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\taskhost.exe\", \"C:\\Program Files\\7-Zip\\Lang\\dllhost.exe\""	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\dwm.exe\", \"C:\\Users\\All Users\\Application Data\\csrss.exe\", \"C:\\Program Files\\Windows Defender\\spoolsv.exe\", \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\taskhost.exe\", \"C:\\Program Files\\7-Zip\\Lang\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\discord\\conhost.exe\""	conhost.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2684	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2684	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2684	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2684	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2684	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2684	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2684	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2684	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2684	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2684	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2684	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2684	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2684	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2684	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2684	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2684	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2684	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2684	schtasks.exe	34

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1640	powershell.exe
2320	powershell.exe
440	powershell.exe
2456	powershell.exe
2784	powershell.exe
3064	powershell.exe
1220	powershell.exe
684	powershell.exe
872	powershell.exe
1264	powershell.exe
1768	powershell.exe
2160	powershell.exe
1124	powershell.exe
2544	powershell.exe
1060	powershell.exe
2140	powershell.exe
2184	powershell.exe
2328	powershell.exe
2864	powershell.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 2 IoCs

pid	Process
1672	conhost.exe
752	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2072	cmd.exe
2072	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\All Users\\Application Data\\csrss.exe\""	conhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows Defender\\spoolsv.exe\""	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows Defender\\spoolsv.exe\""	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\taskhost.exe\""	conhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\7-Zip\\Lang\\dllhost.exe\""	conhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Admin\\AppData\\Roaming\\discord\\conhost.exe\""	conhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\dwm.exe\""	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\dwm.exe\""	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Admin\\AppData\\Roaming\\discord\\conhost.exe\""	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\7-Zip\\Lang\\dllhost.exe\""	conhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\All Users\\Application Data\\csrss.exe\""	conhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\taskhost.exe\""	conhost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\qmeprf.exe	csc.exe
File created	\??\c:\Windows\System32\CSCD42BB5CCD2EE403EA1F17686DAA1FDA8.TMP	csc.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\dllhost.exe	conhost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\dllhost.exe	conhost.exe
File created	C:\Program Files\7-Zip\Lang\5940a34987c991	conhost.exe
File created	C:\Program Files\Windows Defender\spoolsv.exe	conhost.exe
File created	C:\Program Files\Windows Defender\f3b6ecef712a24	conhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	725cac30bc1f807136d69a9845a5cef1610194da8d9e76d1920d1c53ead8e8c7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2516	PING.EXE

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2092	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2516	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2700	schtasks.exe
2508	schtasks.exe
2884	schtasks.exe
1876	schtasks.exe
2452	schtasks.exe
1804	schtasks.exe
1932	schtasks.exe
2024	schtasks.exe
1780	schtasks.exe
1796	schtasks.exe
2524	schtasks.exe
2600	schtasks.exe
2360	schtasks.exe
1028	schtasks.exe
2244	schtasks.exe
1936	schtasks.exe
1776	schtasks.exe
1756	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2160	powershell.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe
1672	conhost.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	1672	conhost.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	440	powershell.exe
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeDebugPrivilege	684	powershell.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	872	powershell.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	752	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2300	2872	725cac30bc1f807136d69a9845a5cef1610194da8d9e76d1920d1c53ead8e8c7N.exe	28
PID 2872 wrote to memory of 2300	2872	725cac30bc1f807136d69a9845a5cef1610194da8d9e76d1920d1c53ead8e8c7N.exe	28
PID 2872 wrote to memory of 2300	2872	725cac30bc1f807136d69a9845a5cef1610194da8d9e76d1920d1c53ead8e8c7N.exe	28
PID 2872 wrote to memory of 2300	2872	725cac30bc1f807136d69a9845a5cef1610194da8d9e76d1920d1c53ead8e8c7N.exe	28
PID 2300 wrote to memory of 2072	2300	WScript.exe	29
PID 2300 wrote to memory of 2072	2300	WScript.exe	29
PID 2300 wrote to memory of 2072	2300	WScript.exe	29
PID 2300 wrote to memory of 2072	2300	WScript.exe	29
PID 2072 wrote to memory of 2092	2072	cmd.exe	31
PID 2072 wrote to memory of 2092	2072	cmd.exe	31
PID 2072 wrote to memory of 2092	2072	cmd.exe	31
PID 2072 wrote to memory of 2092	2072	cmd.exe	31
PID 2072 wrote to memory of 2160	2072	cmd.exe	32
PID 2072 wrote to memory of 2160	2072	cmd.exe	32
PID 2072 wrote to memory of 2160	2072	cmd.exe	32
PID 2072 wrote to memory of 2160	2072	cmd.exe	32
PID 2072 wrote to memory of 1672	2072	cmd.exe	33
PID 2072 wrote to memory of 1672	2072	cmd.exe	33
PID 2072 wrote to memory of 1672	2072	cmd.exe	33
PID 2072 wrote to memory of 1672	2072	cmd.exe	33
PID 1672 wrote to memory of 2648	1672	conhost.exe	38
PID 1672 wrote to memory of 2648	1672	conhost.exe	38
PID 1672 wrote to memory of 2648	1672	conhost.exe	38
PID 2648 wrote to memory of 2480	2648	csc.exe	40
PID 2648 wrote to memory of 2480	2648	csc.exe	40
PID 2648 wrote to memory of 2480	2648	csc.exe	40
PID 1672 wrote to memory of 2864	1672	conhost.exe	56
PID 1672 wrote to memory of 2864	1672	conhost.exe	56
PID 1672 wrote to memory of 2864	1672	conhost.exe	56
PID 1672 wrote to memory of 2784	1672	conhost.exe	57
PID 1672 wrote to memory of 2784	1672	conhost.exe	57
PID 1672 wrote to memory of 2784	1672	conhost.exe	57
PID 1672 wrote to memory of 1640	1672	conhost.exe	59
PID 1672 wrote to memory of 1640	1672	conhost.exe	59
PID 1672 wrote to memory of 1640	1672	conhost.exe	59
PID 1672 wrote to memory of 2184	1672	conhost.exe	60
PID 1672 wrote to memory of 2184	1672	conhost.exe	60
PID 1672 wrote to memory of 2184	1672	conhost.exe	60
PID 1672 wrote to memory of 2140	1672	conhost.exe	61
PID 1672 wrote to memory of 2140	1672	conhost.exe	61
PID 1672 wrote to memory of 2140	1672	conhost.exe	61
PID 1672 wrote to memory of 2320	1672	conhost.exe	62
PID 1672 wrote to memory of 2320	1672	conhost.exe	62
PID 1672 wrote to memory of 2320	1672	conhost.exe	62
PID 1672 wrote to memory of 3064	1672	conhost.exe	63
PID 1672 wrote to memory of 3064	1672	conhost.exe	63
PID 1672 wrote to memory of 3064	1672	conhost.exe	63
PID 1672 wrote to memory of 1060	1672	conhost.exe	64
PID 1672 wrote to memory of 1060	1672	conhost.exe	64
PID 1672 wrote to memory of 1060	1672	conhost.exe	64
PID 1672 wrote to memory of 2544	1672	conhost.exe	65
PID 1672 wrote to memory of 2544	1672	conhost.exe	65
PID 1672 wrote to memory of 2544	1672	conhost.exe	65
PID 1672 wrote to memory of 1220	1672	conhost.exe	66
PID 1672 wrote to memory of 1220	1672	conhost.exe	66
PID 1672 wrote to memory of 1220	1672	conhost.exe	66
PID 1672 wrote to memory of 1124	1672	conhost.exe	67
PID 1672 wrote to memory of 1124	1672	conhost.exe	67
PID 1672 wrote to memory of 1124	1672	conhost.exe	67
PID 1672 wrote to memory of 2328	1672	conhost.exe	69
PID 1672 wrote to memory of 2328	1672	conhost.exe	69
PID 1672 wrote to memory of 2328	1672	conhost.exe	69
PID 1672 wrote to memory of 684	1672	conhost.exe	71
PID 1672 wrote to memory of 684	1672	conhost.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\725cac30bc1f807136d69a9845a5cef1610194da8d9e76d1920d1c53ead8e8c7N.exe
"C:\Users\Admin\AppData\Local\Temp\725cac30bc1f807136d69a9845a5cef1610194da8d9e76d1920d1c53ead8e8c7N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\discord\j85J.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Roaming\discord\HRJedrpRSEvRWkc5AsZysCURAW4ZqH13C4viou2orJURm0r.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2092
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath C:\
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2160
  - - C:\Users\Admin\AppData\Roaming\discord\conhost.exe
      "C:\Users\Admin\AppData\Roaming\discord/conhost.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1672
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\utwd04ha\utwd04ha.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2648
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES932B.tmp" "c:\Windows\System32\CSCD42BB5CCD2EE403EA1F17686DAA1FDA8.TMP"
        6⤵
        
        PID:2480
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:440
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\discord\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NqrZYB5xM3.bat"
        5⤵
        
        PID:1272
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2588
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2516
      - C:\Users\Admin\AppData\Roaming\discord\conhost.exe
        
        "C:\Users\Admin\AppData\Roaming\discord\conhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Application Data\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Application Data\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Roaming\discord\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\discord\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Roaming\discord\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NqrZYB5xM3.bat

Filesize
178B

MD5
515954718bdd89480d4d379ba7039233

SHA1
f45143f86b552cc8b11cec81bbf02385ae22d5f9

SHA256
fbc0833fd6cb7665609049c74eda17eccea9af3f80526b22a7c65459ce34a424

SHA512
ec9688e71b3ee2c26a87d900bac49946de44a059b60bc7c390936264500ad63e0905f05ee550e7eb19fef23f3b67287cf32226389a62234c154e30b0d329f027

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES932B.tmp

Filesize
1KB

MD5
12b4d4ce10f36fa78b77a673457fd949

SHA1
07413f808f183d1e6c91f4a7318f51f16204ba24

SHA256
c2b644e7d757a54483529e9d4832e95e654dbfdfaa30778a2e9ca0cbd19682fb

SHA512
61e9043d260382b748e8d82318fb36af71c2e9f5c15c101e95bad29221561b7ff3f1daaf3cc2b9951b7f3873f2a5cda8d9fada7d414499db45591abe530721ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8b3b29b045c3c6127d1198eaba7d3270

SHA1
8494148dba33d2b6ab267a6f75968f95e3176811

SHA256
308a25785456b5ed9921b8a9bb8546e382bf2cdac1c1fcc2255d0ba8752da565

SHA512
4aab9e6cc11de06428a26ca59dc6268831f0575d33398c678dfceafa8cf7006a5043a3551b4ec8998bab848e55901157b02fc86ed0a3e5f9f443d38b7e8d68f5

Download Submit
C:\Users\Admin\AppData\Roaming\discord\HRJedrpRSEvRWkc5AsZysCURAW4ZqH13C4viou2orJURm0r.bat

Filesize
259B

MD5
485cb25e2ba006537bbbabd12800c1dc

SHA1
37775c65f57debb54cf055d2349046db190180fb

SHA256
e856d0bed3738da3f2d0d714c720c78b2c1335ebe4068331d981cf5793be345b

SHA512
95c3dc8479602fc751cdd6b241fe72c8ff80aaffefdc4db9f8e9746417066ec8555f84c8c7a641138e1ac92d5efb38b805b1c162a0131bf3e9b3ba003ffadd1e

Download Submit
C:\Users\Admin\AppData\Roaming\discord\j85J.vbe

Filesize
239B

MD5
809c9c712c88de9c72315c13cfa368e9

SHA1
3afa04cc60a11e57930f03e8e0886f8fc5d972d1

SHA256
a28933d0149dada56b9520a2fb2db53dd11911de866a773d74b1139637dc68ab

SHA512
67d1743f0cf58ecef1d54c708a0bd956f07a4f7f8c0d428d394984d3b01c93140e0941c3809df11e189fd69f900daf1dd3f8cf83f374742b1747ebf4dcec6fec

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\utwd04ha\utwd04ha.0.cs

Filesize
388B

MD5
6e4718067dc98e1b7a099aef68ee8272

SHA1
41500282816bcbcf59865c6ea150a042d209ad7a

SHA256
d1b1c89b34d03ed597aaadd9763f6f95edbe68583e676bb45356b8f456462eee

SHA512
a6d50ecf552911a6edecc4b74c52b1d2fd3002f9650347888be77050bcddedd8049132dd343b531c59918a30be3dfae8d62cbe8c28fb3b40941888bc1ac1500b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\utwd04ha\utwd04ha.cmdline

Filesize
235B

MD5
c9a18aa8d04d68852c20aa25b9eba899

SHA1
6a113d4bb4bea393b08bb62ffa5a458864d93042

SHA256
580aa82a97402ea9cb63fcde491f32faa10a3cfd7a483c3a230bb36b3c93ecaf

SHA512
14a6db2edee09794059a355948a82beba419b130bb5d0a23352724ee6ee783580ef387479791310e1b26123af2fa3933de4081555ad87adebf6b136ea1caa411

Download Submit
\??\c:\Windows\System32\CSCD42BB5CCD2EE403EA1F17686DAA1FDA8.TMP

Filesize
1KB

MD5
167c870490dc33ec13a83ebb533b1bf6

SHA1
182378ebfa7c8372a988dee50a7dd6f8cda6a367

SHA256
3f742a374ad5a8da8fba9dfea27c7382dde145d46732cfc0002a53a1311df5e6

SHA512
1b48bb5f270f5d99d9dd98cd9da5866aed9377957d92bf1d686878522c438b38a444073c1a0ed4cc85f97315d2ef6abf05b74ab2265fecb20be5795b2ccef64e

Download Submit
\Users\Admin\AppData\Roaming\discord\conhost.exe

Filesize
1.9MB

MD5
7def38e7a209ee1f8c043ea89b9ed23a

SHA1
bcc3005f85b1ad183d685cdd20c8e8c2cb5a3ed2

SHA256
aff6e2141539e7750e16f430c9189488c813d55073a48f25247a4857948d790d

SHA512
def4497f19ad79f1882eb764f79742192a7c05c5c9810174ef1102e201a07c83b1244087772859ea433a3d395080cbbec41d4707639b6ef8917218530e0a0885

Download Submit
memory/752-146-0x00000000003B0000-0x0000000000594000-memory.dmp

Filesize
1.9MB

Download
memory/1672-17-0x0000000000410000-0x000000000041E000-memory.dmp

Filesize
56KB

Download
memory/1672-25-0x0000000000430000-0x000000000043C000-memory.dmp

Filesize
48KB

Download
memory/1672-23-0x0000000000420000-0x000000000042E000-memory.dmp

Filesize
56KB

Download
memory/1672-21-0x0000000000460000-0x0000000000478000-memory.dmp

Filesize
96KB

Download
memory/1672-19-0x0000000000440000-0x000000000045C000-memory.dmp

Filesize
112KB

Download
memory/1672-15-0x0000000000D50000-0x0000000000F34000-memory.dmp

Filesize
1.9MB

Download
memory/3064-67-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/3064-68-0x0000000001E90000-0x0000000001E98000-memory.dmp

Filesize
32KB

Download