dcrat | 8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366

Analysis

max time kernel
139s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

477DB3DE46B7779B63495A8BDB279F2C.exe
Size

1.6MB
MD5

477db3de46b7779b63495a8bdb279f2c
SHA1

77dc3f7d83728294c49298db82dd0e668adc3a73
SHA256

8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366
SHA512

4ac940fa7ce3c8a2a646639a5b00c5c8a1dcafcfba460782068446a321455cf5af10e1e6ae4e6753150beab7d2431a7c38192787b32c4e508b73f4b3ac843956
SSDEEP

24576:/KEYWAa5pLMzdFGZWWs5cRtb6kMgmrmtXVdaNjTXf3qtzdzkkJj6:/p1JAz5cjb6k4cFdaNjTXfa/

Score

10^/10

dcrat discovery execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

477DB3DE46B7779B63495A8BDB279F2C.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Start Menu\\TextInputHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\SearchApp.exe\", \"C:\\Users\\Default\\SppExtComObj.exe\""	477DB3DE46B7779B63495A8BDB279F2C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Start Menu\\TextInputHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\SearchApp.exe\", \"C:\\Users\\Default\\SppExtComObj.exe\", \"C:\\Windows\\Temp\\spoolsv.exe\""	477DB3DE46B7779B63495A8BDB279F2C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Start Menu\\TextInputHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\SearchApp.exe\", \"C:\\Users\\Default\\SppExtComObj.exe\", \"C:\\Windows\\Temp\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Mail\\Idle.exe\""	477DB3DE46B7779B63495A8BDB279F2C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Start Menu\\TextInputHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\SearchApp.exe\", \"C:\\Users\\Default\\SppExtComObj.exe\", \"C:\\Windows\\Temp\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Mail\\Idle.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\477DB3DE46B7779B63495A8BDB279F2C.exe\""	477DB3DE46B7779B63495A8BDB279F2C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Start Menu\\TextInputHost.exe\""	477DB3DE46B7779B63495A8BDB279F2C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Start Menu\\TextInputHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\SearchApp.exe\""	477DB3DE46B7779B63495A8BDB279F2C.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3512	4072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4092	4072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	4072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	4072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3480	4072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	4072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	4072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	4072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	4072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	4072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	4072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3504	4072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	4072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	428	4072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	4072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	4072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4204	4072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	4072	schtasks.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

376 powershell.exe
1768 powershell.exe
940 powershell.exe
396 powershell.exe
3148 powershell.exe
3660 powershell.exe

pid	process
376	powershell.exe
1768	powershell.exe
940	powershell.exe
396	powershell.exe
3148	powershell.exe
3660	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

477DB3DE46B7779B63495A8BDB279F2C.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	477DB3DE46B7779B63495A8BDB279F2C.exe

Executes dropped EXE 1 IoCs

Processes:

SppExtComObj.exe

pid process

2900 SppExtComObj.exe

pid	process
2900	SppExtComObj.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

477DB3DE46B7779B63495A8BDB279F2C.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Windows Mail\\Idle.exe\""	477DB3DE46B7779B63495A8BDB279F2C.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Users\\Default\\SppExtComObj.exe\""	477DB3DE46B7779B63495A8BDB279F2C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Users\\Default\\SppExtComObj.exe\""	477DB3DE46B7779B63495A8BDB279F2C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\Temp\\spoolsv.exe\""	477DB3DE46B7779B63495A8BDB279F2C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files\\Windows Multimedia Platform\\SearchApp.exe\""	477DB3DE46B7779B63495A8BDB279F2C.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\Temp\\spoolsv.exe\""	477DB3DE46B7779B63495A8BDB279F2C.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Windows Mail\\Idle.exe\""	477DB3DE46B7779B63495A8BDB279F2C.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\477DB3DE46B7779B63495A8BDB279F2C = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\477DB3DE46B7779B63495A8BDB279F2C.exe\""	477DB3DE46B7779B63495A8BDB279F2C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\477DB3DE46B7779B63495A8BDB279F2C = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\477DB3DE46B7779B63495A8BDB279F2C.exe\""	477DB3DE46B7779B63495A8BDB279F2C.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Users\\Admin\\Start Menu\\TextInputHost.exe\""	477DB3DE46B7779B63495A8BDB279F2C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Users\\Admin\\Start Menu\\TextInputHost.exe\""	477DB3DE46B7779B63495A8BDB279F2C.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files\\Windows Multimedia Platform\\SearchApp.exe\""	477DB3DE46B7779B63495A8BDB279F2C.exe

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	process
File created	\??\c:\Windows\System32\CSCC8826200D52B4C23AEEB4D2D3332931.TMP	csc.exe
File created	\??\c:\Windows\System32\-63gkj.exe	csc.exe

Drops file in Program Files directory 5 IoCs

Processes:

477DB3DE46B7779B63495A8BDB279F2C.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Mail\6ccacd8608530f	477DB3DE46B7779B63495A8BDB279F2C.exe
File created	C:\Program Files\Windows Multimedia Platform\SearchApp.exe	477DB3DE46B7779B63495A8BDB279F2C.exe
File created	C:\Program Files\Windows Multimedia Platform\38384e6a620884	477DB3DE46B7779B63495A8BDB279F2C.exe
File created	C:\Program Files (x86)\Windows Mail\Idle.exe	477DB3DE46B7779B63495A8BDB279F2C.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\Idle.exe	477DB3DE46B7779B63495A8BDB279F2C.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXE

pid process

636 PING.EXE

pid	process
636	PING.EXE

Modifies registry class 1 IoCs

Processes:

477DB3DE46B7779B63495A8BDB279F2C.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	477DB3DE46B7779B63495A8BDB279F2C.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

636 PING.EXE

pid	process
636	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
4868	schtasks.exe
4964	schtasks.exe
4548	schtasks.exe
4112	schtasks.exe
3480	schtasks.exe
2780	schtasks.exe
2272	schtasks.exe
2764	schtasks.exe
428	schtasks.exe
3512	schtasks.exe
5100	schtasks.exe
5064	schtasks.exe
4176	schtasks.exe
3504	schtasks.exe
920	schtasks.exe
1212	schtasks.exe
4204	schtasks.exe
4092	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

477DB3DE46B7779B63495A8BDB279F2C.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSppExtComObj.exe

pid	process
3692	477DB3DE46B7779B63495A8BDB279F2C.exe
3692	477DB3DE46B7779B63495A8BDB279F2C.exe
3692	477DB3DE46B7779B63495A8BDB279F2C.exe
3692	477DB3DE46B7779B63495A8BDB279F2C.exe
3692	477DB3DE46B7779B63495A8BDB279F2C.exe
3692	477DB3DE46B7779B63495A8BDB279F2C.exe
3692	477DB3DE46B7779B63495A8BDB279F2C.exe
3692	477DB3DE46B7779B63495A8BDB279F2C.exe
3692	477DB3DE46B7779B63495A8BDB279F2C.exe
3692	477DB3DE46B7779B63495A8BDB279F2C.exe
3692	477DB3DE46B7779B63495A8BDB279F2C.exe
3692	477DB3DE46B7779B63495A8BDB279F2C.exe
3692	477DB3DE46B7779B63495A8BDB279F2C.exe
3692	477DB3DE46B7779B63495A8BDB279F2C.exe
3692	477DB3DE46B7779B63495A8BDB279F2C.exe
3692	477DB3DE46B7779B63495A8BDB279F2C.exe
3692	477DB3DE46B7779B63495A8BDB279F2C.exe
3692	477DB3DE46B7779B63495A8BDB279F2C.exe
3692	477DB3DE46B7779B63495A8BDB279F2C.exe
3692	477DB3DE46B7779B63495A8BDB279F2C.exe
3692	477DB3DE46B7779B63495A8BDB279F2C.exe
3692	477DB3DE46B7779B63495A8BDB279F2C.exe
3692	477DB3DE46B7779B63495A8BDB279F2C.exe
3692	477DB3DE46B7779B63495A8BDB279F2C.exe
3692	477DB3DE46B7779B63495A8BDB279F2C.exe
3692	477DB3DE46B7779B63495A8BDB279F2C.exe
3692	477DB3DE46B7779B63495A8BDB279F2C.exe
3692	477DB3DE46B7779B63495A8BDB279F2C.exe
3692	477DB3DE46B7779B63495A8BDB279F2C.exe
3692	477DB3DE46B7779B63495A8BDB279F2C.exe
3692	477DB3DE46B7779B63495A8BDB279F2C.exe
3660	powershell.exe
3660	powershell.exe
940	powershell.exe
940	powershell.exe
376	powershell.exe
376	powershell.exe
396	powershell.exe
396	powershell.exe
3148	powershell.exe
3148	powershell.exe
1768	powershell.exe
1768	powershell.exe
376	powershell.exe
396	powershell.exe
940	powershell.exe
3660	powershell.exe
3148	powershell.exe
1768	powershell.exe
2900	SppExtComObj.exe
2900	SppExtComObj.exe
2900	SppExtComObj.exe
2900	SppExtComObj.exe
2900	SppExtComObj.exe
2900	SppExtComObj.exe
2900	SppExtComObj.exe
2900	SppExtComObj.exe
2900	SppExtComObj.exe
2900	SppExtComObj.exe
2900	SppExtComObj.exe
2900	SppExtComObj.exe
2900	SppExtComObj.exe
2900	SppExtComObj.exe
2900	SppExtComObj.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

SppExtComObj.exe

pid process

2900 SppExtComObj.exe

pid	process
2900	SppExtComObj.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

477DB3DE46B7779B63495A8BDB279F2C.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSppExtComObj.exe

description	pid	process
Token: SeDebugPrivilege	3692	477DB3DE46B7779B63495A8BDB279F2C.exe
Token: SeDebugPrivilege	376	powershell.exe
Token: SeDebugPrivilege	396	powershell.exe
Token: SeDebugPrivilege	3660	powershell.exe
Token: SeDebugPrivilege	940	powershell.exe
Token: SeDebugPrivilege	3148	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	2900	SppExtComObj.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

477DB3DE46B7779B63495A8BDB279F2C.execsc.execmd.exe

description	pid	process	target process
PID 3692 wrote to memory of 1304	3692	477DB3DE46B7779B63495A8BDB279F2C.exe	csc.exe
PID 3692 wrote to memory of 1304	3692	477DB3DE46B7779B63495A8BDB279F2C.exe	csc.exe
PID 1304 wrote to memory of 4836	1304	csc.exe	cvtres.exe
PID 1304 wrote to memory of 4836	1304	csc.exe	cvtres.exe
PID 3692 wrote to memory of 1768	3692	477DB3DE46B7779B63495A8BDB279F2C.exe	powershell.exe
PID 3692 wrote to memory of 1768	3692	477DB3DE46B7779B63495A8BDB279F2C.exe	powershell.exe
PID 3692 wrote to memory of 940	3692	477DB3DE46B7779B63495A8BDB279F2C.exe	powershell.exe
PID 3692 wrote to memory of 940	3692	477DB3DE46B7779B63495A8BDB279F2C.exe	powershell.exe
PID 3692 wrote to memory of 376	3692	477DB3DE46B7779B63495A8BDB279F2C.exe	powershell.exe
PID 3692 wrote to memory of 376	3692	477DB3DE46B7779B63495A8BDB279F2C.exe	powershell.exe
PID 3692 wrote to memory of 3660	3692	477DB3DE46B7779B63495A8BDB279F2C.exe	powershell.exe
PID 3692 wrote to memory of 3660	3692	477DB3DE46B7779B63495A8BDB279F2C.exe	powershell.exe
PID 3692 wrote to memory of 3148	3692	477DB3DE46B7779B63495A8BDB279F2C.exe	powershell.exe
PID 3692 wrote to memory of 3148	3692	477DB3DE46B7779B63495A8BDB279F2C.exe	powershell.exe
PID 3692 wrote to memory of 396	3692	477DB3DE46B7779B63495A8BDB279F2C.exe	powershell.exe
PID 3692 wrote to memory of 396	3692	477DB3DE46B7779B63495A8BDB279F2C.exe	powershell.exe
PID 3692 wrote to memory of 4396	3692	477DB3DE46B7779B63495A8BDB279F2C.exe	cmd.exe
PID 3692 wrote to memory of 4396	3692	477DB3DE46B7779B63495A8BDB279F2C.exe	cmd.exe
PID 4396 wrote to memory of 2632	4396	cmd.exe	chcp.com
PID 4396 wrote to memory of 2632	4396	cmd.exe	chcp.com
PID 4396 wrote to memory of 636	4396	cmd.exe	PING.EXE
PID 4396 wrote to memory of 636	4396	cmd.exe	PING.EXE
PID 4396 wrote to memory of 2900	4396	cmd.exe	SppExtComObj.exe
PID 4396 wrote to memory of 2900	4396	cmd.exe	SppExtComObj.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\477DB3DE46B7779B63495A8BDB279F2C.exe
"C:\Users\Admin\AppData\Local\Temp\477DB3DE46B7779B63495A8BDB279F2C.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3692
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dsjfk3lw\dsjfk3lw.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7FEE.tmp" "c:\Windows\System32\CSCC8826200D52B4C23AEEB4D2D3332931.TMP"
    3⤵
    PID:4836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Start Menu\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\477DB3DE46B7779B63495A8BDB279F2C.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:396
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\g3jD3GgiLC.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4396
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2632
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:636
- - C:\Users\Default\SppExtComObj.exe
    "C:\Users\Default\SppExtComObj.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Start Menu\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Start Menu\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Multimedia Platform\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Users\Default\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Users\Default\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\Temp\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Temp\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\Temp\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "477DB3DE46B7779B63495A8BDB279F2C4" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\477DB3DE46B7779B63495A8BDB279F2C.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "477DB3DE46B7779B63495A8BDB279F2C" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\477DB3DE46B7779B63495A8BDB279F2C.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "477DB3DE46B7779B63495A8BDB279F2C4" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\477DB3DE46B7779B63495A8BDB279F2C.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7FEE.tmp

Filesize
1KB

MD5
62deb1f5f34dbf6abf788ade8383b4b5

SHA1
db2813304c1464ecc4f2ba93c1ef969cb40a11e4

SHA256
fbee1f9e42d744fd740b712ec66fb86e0c5fe0d3e52f2968e36dbc4a2e40cc6d

SHA512
c5f9a03e11083f3c55f5d03a730aa17177d96c614e85682446ea715f1b2f1dbf81c157241a1a6e3ad514965cc1bf6f1615b109254efed38311c9cdeadc7b81f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nh5lsagi.xj1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\g3jD3GgiLC.bat

Filesize
161B

MD5
a95a22a1da7ca458cd51385f7554ea51

SHA1
14fe2103417cf1a2e5903741f16ec88a42d79ee9

SHA256
75c475007d2a7c50043ba46cf93cff47379804fb1c3c11b16a9bee3bb04f880e

SHA512
bffca3c8a00720bef5b70a9c08fb83d39c81631a8b66e624cb7161251fe06bee2942d9e9e0649f7b84b61da8455b2761b8c015efd1dd75e28953960e774dcbb3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\TextInputHost.exe

Filesize
1.6MB

MD5
477db3de46b7779b63495a8bdb279f2c

SHA1
77dc3f7d83728294c49298db82dd0e668adc3a73

SHA256
8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366

SHA512
4ac940fa7ce3c8a2a646639a5b00c5c8a1dcafcfba460782068446a321455cf5af10e1e6ae4e6753150beab7d2431a7c38192787b32c4e508b73f4b3ac843956

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dsjfk3lw\dsjfk3lw.0.cs

Filesize
375B

MD5
9cc4511764b517d1bebe533a06061367

SHA1
b33dbc9fa3237981bb9c3f934560cc7deb35bd1a

SHA256
3089a99fb535395208e8c6da271dc133123b1ee6c70167df99e4e2b9f97b98e1

SHA512
2785f87b74bded27e536b8fda4199fb55be24074418cea207888391e540818076e78bc49e8c2182ec1d9920e1b36f3d3ac85640e20e427fc9c5d7fe4bda55435

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dsjfk3lw\dsjfk3lw.cmdline

Filesize
235B

MD5
a2001d4a9de3854f18d5f2a02f2a85e3

SHA1
2f291ec92ef2d145c93064ea2a99b179dfb2c9d6

SHA256
82400986eb02432229c0198ebf0f0535f64f6b009272f7d0cfdcfba707bc107f

SHA512
17d49eee4cfdfb44deb4e30798f97fae2f3c97284e7fedcfe68de3a1ed7f78b74de1ae5e70b2703a187d1e6a57c2c6b6977c2e9124a5d1899ec2d54ac934fdad

Download Submit
\??\c:\Windows\System32\CSCC8826200D52B4C23AEEB4D2D3332931.TMP

Filesize
1KB

MD5
82a7b8ef3bc275711e3b27c6df93c7ff

SHA1
bdac909f26475c94c74145576bcf22adb0f8203c

SHA256
582921e5e6617cb736006c46c9c8576d8fdefb8763469bdbf305d52d298f6124

SHA512
f2100bca60280f6ad93f40254d6fe69bd9917a44973516874aa54c28042796503daac5c51869924f5ecd17615f461dda6441f479e1201c44ad07f5a7728af248

Download Submit
memory/376-45-0x00000174E6660000-0x00000174E6682000-memory.dmp

Filesize
136KB

Download
memory/3692-22-0x00007FFB5E350000-0x00007FFB5EE11000-memory.dmp

Filesize
10.8MB

Download
memory/3692-0-0x00007FFB5E353000-0x00007FFB5E355000-memory.dmp

Filesize
8KB

Download
memory/3692-10-0x00007FFB5E350000-0x00007FFB5EE11000-memory.dmp

Filesize
10.8MB

Download
memory/3692-50-0x00007FFB5E350000-0x00007FFB5EE11000-memory.dmp

Filesize
10.8MB

Download
memory/3692-9-0x0000000002590000-0x000000000259C000-memory.dmp

Filesize
48KB

Download
memory/3692-7-0x00000000024F0000-0x00000000024FE000-memory.dmp

Filesize
56KB

Download
memory/3692-5-0x00007FFB5E350000-0x00007FFB5EE11000-memory.dmp

Filesize
10.8MB

Download
memory/3692-4-0x00007FFB5E350000-0x00007FFB5EE11000-memory.dmp

Filesize
10.8MB

Download
memory/3692-3-0x00007FFB5E350000-0x00007FFB5EE11000-memory.dmp

Filesize
10.8MB

Download
memory/3692-2-0x00007FFB5E350000-0x00007FFB5EE11000-memory.dmp

Filesize
10.8MB

Download
memory/3692-1-0x00000000002B0000-0x000000000045A000-memory.dmp

Filesize
1.7MB

Download