dcrat | ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59e

Analysis

max time kernel
148s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-11-2024 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
Size

1.1MB
MD5

bf13fac7f8484064e0b61d4930e82580
SHA1

08495d92383b65f214c87a4aaed1103fe4cc7330
SHA256

ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59e
SHA512

cfba119bdbe539b7c64a5a9bf2581b21d6fa120154745f54bc36c1aac3ddfa555d4d01dd43c0626c2d95cd5eb0005c1c03387c853a18e8ef3d4d1c9d472ada87
SSDEEP

24576:ZxU376C0skFgqIyXFnbCDQgZ8e7FRsWC9ZRHInh4j1Cf6liXwkOmpd:EPkVXFGDQoP7FRCZRonh4hfewhmpd

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2568	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2568	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2568	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2568	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2568	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2568	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	2568	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2568	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2568	schtasks.exe	32

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2768-20-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat
behavioral1/memory/2768-18-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat
behavioral1/memory/2768-16-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat
behavioral1/memory/2768-13-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat
behavioral1/memory/2768-12-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat
behavioral1/memory/2296-123-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat
behavioral1/memory/2296-121-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat
behavioral1/memory/1236-148-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat
behavioral1/memory/1236-150-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat
behavioral1/memory/2176-175-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat
behavioral1/memory/2176-177-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
580	powershell.exe
2832	powershell.exe
2876	powershell.exe
2180	powershell.exe

Executes dropped EXE 6 IoCs

pid	Process
2416	winlogon.exe
2296	winlogon.exe
2580	winlogon.exe
1236	winlogon.exe
1632	winlogon.exe
2176	winlogon.exe

Loads dropped DLL 4 IoCs

pid	Process
668	cmd.exe
668	cmd.exe
1780	WScript.exe
2836	WScript.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2308 set thread context of 2768	2308	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	31
PID 2416 set thread context of 2296	2416	winlogon.exe	55
PID 2580 set thread context of 1236	2580	winlogon.exe	60
PID 1632 set thread context of 2176	1632	winlogon.exe	64

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w32tm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2968	schtasks.exe
1792	schtasks.exe
1544	schtasks.exe
1180	schtasks.exe
2440	schtasks.exe
1508	schtasks.exe
2820	schtasks.exe
1248	schtasks.exe
1480	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2768	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
2768	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
2768	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
2832	powershell.exe
2180	powershell.exe
580	powershell.exe
2876	powershell.exe
2296	winlogon.exe
1236	winlogon.exe
2176	winlogon.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2768	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	580	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	2296	winlogon.exe
Token: SeDebugPrivilege	1236	winlogon.exe
Token: SeDebugPrivilege	2176	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2768	2308	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	31
PID 2308 wrote to memory of 2768	2308	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	31
PID 2308 wrote to memory of 2768	2308	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	31
PID 2308 wrote to memory of 2768	2308	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	31
PID 2308 wrote to memory of 2768	2308	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	31
PID 2308 wrote to memory of 2768	2308	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	31
PID 2308 wrote to memory of 2768	2308	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	31
PID 2308 wrote to memory of 2768	2308	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	31
PID 2308 wrote to memory of 2768	2308	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	31
PID 2768 wrote to memory of 2876	2768	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	42
PID 2768 wrote to memory of 2876	2768	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	42
PID 2768 wrote to memory of 2876	2768	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	42
PID 2768 wrote to memory of 2876	2768	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	42
PID 2768 wrote to memory of 2832	2768	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	43
PID 2768 wrote to memory of 2832	2768	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	43
PID 2768 wrote to memory of 2832	2768	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	43
PID 2768 wrote to memory of 2832	2768	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	43
PID 2768 wrote to memory of 580	2768	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	45
PID 2768 wrote to memory of 580	2768	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	45
PID 2768 wrote to memory of 580	2768	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	45
PID 2768 wrote to memory of 580	2768	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	45
PID 2768 wrote to memory of 2180	2768	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	46
PID 2768 wrote to memory of 2180	2768	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	46
PID 2768 wrote to memory of 2180	2768	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	46
PID 2768 wrote to memory of 2180	2768	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	46
PID 2768 wrote to memory of 668	2768	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	50
PID 2768 wrote to memory of 668	2768	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	50
PID 2768 wrote to memory of 668	2768	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	50
PID 2768 wrote to memory of 668	2768	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	50
PID 668 wrote to memory of 1716	668	cmd.exe	52
PID 668 wrote to memory of 1716	668	cmd.exe	52
PID 668 wrote to memory of 1716	668	cmd.exe	52
PID 668 wrote to memory of 1716	668	cmd.exe	52
PID 1716 wrote to memory of 584	1716	w32tm.exe	53
PID 1716 wrote to memory of 584	1716	w32tm.exe	53
PID 1716 wrote to memory of 584	1716	w32tm.exe	53
PID 1716 wrote to memory of 584	1716	w32tm.exe	53
PID 668 wrote to memory of 2416	668	cmd.exe	54
PID 668 wrote to memory of 2416	668	cmd.exe	54
PID 668 wrote to memory of 2416	668	cmd.exe	54
PID 668 wrote to memory of 2416	668	cmd.exe	54
PID 2416 wrote to memory of 2296	2416	winlogon.exe	55
PID 2416 wrote to memory of 2296	2416	winlogon.exe	55
PID 2416 wrote to memory of 2296	2416	winlogon.exe	55
PID 2416 wrote to memory of 2296	2416	winlogon.exe	55
PID 2416 wrote to memory of 2296	2416	winlogon.exe	55
PID 2416 wrote to memory of 2296	2416	winlogon.exe	55
PID 2416 wrote to memory of 2296	2416	winlogon.exe	55
PID 2416 wrote to memory of 2296	2416	winlogon.exe	55
PID 2416 wrote to memory of 2296	2416	winlogon.exe	55
PID 2296 wrote to memory of 1780	2296	winlogon.exe	56
PID 2296 wrote to memory of 1780	2296	winlogon.exe	56
PID 2296 wrote to memory of 1780	2296	winlogon.exe	56
PID 2296 wrote to memory of 1780	2296	winlogon.exe	56
PID 2296 wrote to memory of 2784	2296	winlogon.exe	57
PID 2296 wrote to memory of 2784	2296	winlogon.exe	57
PID 2296 wrote to memory of 2784	2296	winlogon.exe	57
PID 2296 wrote to memory of 2784	2296	winlogon.exe	57
PID 1780 wrote to memory of 2580	1780	WScript.exe	58
PID 1780 wrote to memory of 2580	1780	WScript.exe	58
PID 1780 wrote to memory of 2580	1780	WScript.exe	58
PID 1780 wrote to memory of 2580	1780	WScript.exe	58
PID 2580 wrote to memory of 1236	2580	winlogon.exe	60
PID 2580 wrote to memory of 1236	2580	winlogon.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
"C:\Users\Admin\AppData\Local\Temp\ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Local\Temp\ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
  "{path}"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2876
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\System.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2832
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\sppsvc.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:580
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2180
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WAYFjljOjk.bat"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:668
  - - C:\Windows\SysWOW64\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1716
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:584
  - - C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe
      "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2416
    - - C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe
        
        "{path}"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2296
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6f6b15e-9b6e-41ad-85aa-528739a2d17e.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe
        
        "{path}"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1236
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4bd82c26-9562-40fe-8455-49dc00da9929.vbs"
        9⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe
        
        "{path}"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a1d9f04-0e10-417b-85ba-c5b639699faa.vbs"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c10d729-8ddc-4d9a-b0ea-2600d08d8fdf.vbs"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:608
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afbe0ab4-cdd4-436d-bd67-705f221f283d.vbs"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2436
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a0e3b25-befb-4850-94e8-dc629faf879c.vbs"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\System.exe

Filesize
1.1MB

MD5
bf13fac7f8484064e0b61d4930e82580

SHA1
08495d92383b65f214c87a4aaed1103fe4cc7330

SHA256
ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59e

SHA512
cfba119bdbe539b7c64a5a9bf2581b21d6fa120154745f54bc36c1aac3ddfa555d4d01dd43c0626c2d95cd5eb0005c1c03387c853a18e8ef3d4d1c9d472ada87

Download Submit
C:\Users\Admin\AppData\Local\Temp\0a0e3b25-befb-4850-94e8-dc629faf879c.vbs

Filesize
513B

MD5
5e6686ec32e2eaa0aeff626a4d1f979e

SHA1
b593b3c3974aee14ac7048f4c4f0ab3e6b0b6274

SHA256
7801514e99040f0d1abb454edca98bfbe621dbc669a45f837f05f330ba633a92

SHA512
58d21d9925c5b4e0a2f3e2cc8bc3daaee60734da28458a517c8434bac6c6555ddc95ddc7750f5f50fb61dc45bce51316ae7bf94c5a108c9e206e1c878b93203b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4bd82c26-9562-40fe-8455-49dc00da9929.vbs

Filesize
737B

MD5
b9af0c56707d3888fa9cf9c6c9dcccb8

SHA1
0abc29e94b1a7778613a5ce953f93b8fefc7d76b

SHA256
a9dcac3352ad5fe85e561ea2e1b458a0a6ebfe1f54eee6116d96f997ad8e8bbc

SHA512
ffac21d97a8a2be52ff4c8dc8d366d98cc1b7b769c2b8f9462dbb8ecdac0e8143f115b2a42c57c6feb54e336f6c81fa9bd167baf8abf40ae02af21bb703fde87

Download Submit
C:\Users\Admin\AppData\Local\Temp\9a1d9f04-0e10-417b-85ba-c5b639699faa.vbs

Filesize
737B

MD5
34e3f582ac4c3ae2045b8a583ff21f56

SHA1
1a690b851032185dbee03cba2c5cf29331c29ffc

SHA256
70ecd61f78c89a923cef1c0786d8d73bc5fcc2ef4299916267c8d1fc60950d31

SHA512
fb729a0c0caf3f2b9b7c5cb0aebdd4b01184c2627b9b4e5d7eff369a44a5ead12f261ef147e49f457475c2965b58848ae2e5d2e33c10b95e40fb2c7722cbcc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAYFjljOjk.bat

Filesize
226B

MD5
553bfe04219fcc206491b2adcdb22b0d

SHA1
c4b81e64a7661e0cf1229fc9bffe6a2777584c7d

SHA256
2bce642c158450dc63e889155bc1e9279afe360e24e51b455a5d5f73bf249db4

SHA512
31e8ac5cd87c2bff90df4aa881859580410bfda155359b457c2a0c6b14d1ad638c06c533e4b920245c40afa0ffd134e48b0533160e0c1e9bd7211694b19e1092

Download Submit
C:\Users\Admin\AppData\Local\Temp\a6f6b15e-9b6e-41ad-85aa-528739a2d17e.vbs

Filesize
737B

MD5
30209311a1efa9c525645c8868b2d34b

SHA1
4d9a9b7b1f4089a8017a87c847bfe806813fa127

SHA256
992c0da7a4c8e0b242d9f4a8e71b5d04e46ade0054e2520b0f187622efec59cf

SHA512
1859dfcc38b3bd7b07059e74630d6c98852ca66a5bea4c7015522fdfe0760ae3dc7676bcfd1a0231be52f8f782078791a892b8d4a1bb7781845d71188940c8f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
d6edba1f307ec1818227b3b5cef705be

SHA1
971ff789a99cf7bf8177e90435aefc933e1400c3

SHA256
6920e94759503597c985f53aacdb15bcba4076d54ab1a7c4a7a54b718aa06a72

SHA512
a75bd3daeca3bd03f4deb129a6fbff6771ae548b8de11c2fa9ca9a7766b0fea3424a50308453cec56127e7cb7522358974437cc65dd8fbe3fb16e6025e1647b2

Download Submit
memory/1236-148-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1236-150-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1632-163-0x0000000000120000-0x000000000024C000-memory.dmp

Filesize
1.2MB

Download
memory/2176-172-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2176-175-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2176-177-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2296-118-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2296-121-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2296-123-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2308-3-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2308-22-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2308-4-0x000000007469E000-0x000000007469F000-memory.dmp

Filesize
4KB

Download
memory/2308-2-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2308-5-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2308-6-0x0000000005460000-0x0000000005556000-memory.dmp

Filesize
984KB

Download
memory/2308-0-0x000000007469E000-0x000000007469F000-memory.dmp

Filesize
4KB

Download
memory/2308-1-0x0000000000040000-0x000000000016C000-memory.dmp

Filesize
1.2MB

Download
memory/2308-7-0x0000000005C70000-0x0000000005D9E000-memory.dmp

Filesize
1.2MB

Download
memory/2416-109-0x0000000000D40000-0x0000000000E6C000-memory.dmp

Filesize
1.2MB

Download
memory/2580-136-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/2580-135-0x0000000000D40000-0x0000000000E6C000-memory.dmp

Filesize
1.2MB

Download
memory/2768-16-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2768-34-0x0000000004380000-0x000000000438C000-memory.dmp

Filesize
48KB

Download
memory/2768-33-0x0000000004370000-0x000000000437A000-memory.dmp

Filesize
40KB

Download
memory/2768-32-0x0000000004360000-0x000000000436C000-memory.dmp

Filesize
48KB

Download
memory/2768-31-0x0000000004310000-0x000000000431E000-memory.dmp

Filesize
56KB

Download
memory/2768-104-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2768-30-0x0000000004300000-0x000000000430A000-memory.dmp

Filesize
40KB

Download
memory/2768-29-0x00000000021C0000-0x00000000021CC000-memory.dmp

Filesize
48KB

Download
memory/2768-28-0x0000000002160000-0x0000000002172000-memory.dmp

Filesize
72KB

Download
memory/2768-27-0x0000000002130000-0x0000000002140000-memory.dmp

Filesize
64KB

Download
memory/2768-26-0x0000000002110000-0x0000000002126000-memory.dmp

Filesize
88KB

Download
memory/2768-25-0x0000000001FB0000-0x0000000001FC0000-memory.dmp

Filesize
64KB

Download
memory/2768-24-0x00000000005F0000-0x000000000060C000-memory.dmp

Filesize
112KB

Download
memory/2768-23-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2768-10-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2768-12-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2768-13-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2768-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2768-18-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2768-21-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2768-20-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2768-9-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download