dcrat | 8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366

Analysis

max time kernel
133s
max time network
149s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
06-11-2024 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

477DB3DE46B7779B63495A8BDB279F2C.exe
Size

1.6MB
MD5

477db3de46b7779b63495a8bdb279f2c
SHA1

77dc3f7d83728294c49298db82dd0e668adc3a73
SHA256

8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366
SHA512

4ac940fa7ce3c8a2a646639a5b00c5c8a1dcafcfba460782068446a321455cf5af10e1e6ae4e6753150beab7d2431a7c38192787b32c4e508b73f4b3ac843956
SSDEEP

24576:/KEYWAa5pLMzdFGZWWs5cRtb6kMgmrmtXVdaNjTXf3qtzdzkkJj6:/p1JAz5cjb6k4cFdaNjTXfa/

Score

10^/10

dcrat discovery execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\Idle.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Defender\\OSPPSVC.exe\", \"C:\\Users\\Admin\\Start Menu\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\spoolsv.exe\""	477DB3DE46B7779B63495A8BDB279F2C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\Idle.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Defender\\OSPPSVC.exe\", \"C:\\Users\\Admin\\Start Menu\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\477DB3DE46B7779B63495A8BDB279F2C.exe\""	477DB3DE46B7779B63495A8BDB279F2C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\Idle.exe\""	477DB3DE46B7779B63495A8BDB279F2C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\Idle.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\wininit.exe\""	477DB3DE46B7779B63495A8BDB279F2C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\Idle.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Defender\\OSPPSVC.exe\""	477DB3DE46B7779B63495A8BDB279F2C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\Idle.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Defender\\OSPPSVC.exe\", \"C:\\Users\\Admin\\Start Menu\\System.exe\""	477DB3DE46B7779B63495A8BDB279F2C.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2960	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2960	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2960	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2960	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2960	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2960	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2960	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2960	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	2960	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2960	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2960	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2960	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2960	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2960	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2960	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2960	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2960	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	236	2960	schtasks.exe	30

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1260	powershell.exe
608	powershell.exe
1096	powershell.exe
528	powershell.exe
2180	powershell.exe
1616	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
880	OSPPSVC.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files (x86)\\Windows Defender\\OSPPSVC.exe\""	477DB3DE46B7779B63495A8BDB279F2C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\spoolsv.exe\""	477DB3DE46B7779B63495A8BDB279F2C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\477DB3DE46B7779B63495A8BDB279F2C = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\477DB3DE46B7779B63495A8BDB279F2C.exe\""	477DB3DE46B7779B63495A8BDB279F2C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Admin\\Start Menu\\System.exe\""	477DB3DE46B7779B63495A8BDB279F2C.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\spoolsv.exe\""	477DB3DE46B7779B63495A8BDB279F2C.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\Idle.exe\""	477DB3DE46B7779B63495A8BDB279F2C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\Idle.exe\""	477DB3DE46B7779B63495A8BDB279F2C.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\wininit.exe\""	477DB3DE46B7779B63495A8BDB279F2C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\wininit.exe\""	477DB3DE46B7779B63495A8BDB279F2C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files (x86)\\Windows Defender\\OSPPSVC.exe\""	477DB3DE46B7779B63495A8BDB279F2C.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Admin\\Start Menu\\System.exe\""	477DB3DE46B7779B63495A8BDB279F2C.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\477DB3DE46B7779B63495A8BDB279F2C = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\477DB3DE46B7779B63495A8BDB279F2C.exe\""	477DB3DE46B7779B63495A8BDB279F2C.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\qrosn9.exe	csc.exe
File created	\??\c:\Windows\System32\CSCCB4F0D28336345F7AD317DFE28E21C50.TMP	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\OSPPSVC.exe	477DB3DE46B7779B63495A8BDB279F2C.exe
File created	C:\Program Files (x86)\Windows Defender\1610b97d3ab4a7	477DB3DE46B7779B63495A8BDB279F2C.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1068	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1068	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2296	schtasks.exe
1600	schtasks.exe
2448	schtasks.exe
2128	schtasks.exe
236	schtasks.exe
332	schtasks.exe
1492	schtasks.exe
3036	schtasks.exe
2440	schtasks.exe
2736	schtasks.exe
1904	schtasks.exe
1852	schtasks.exe
2028	schtasks.exe
2452	schtasks.exe
2948	schtasks.exe
2912	schtasks.exe
2412	schtasks.exe
2628	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1520	477DB3DE46B7779B63495A8BDB279F2C.exe
1520	477DB3DE46B7779B63495A8BDB279F2C.exe
1520	477DB3DE46B7779B63495A8BDB279F2C.exe
1520	477DB3DE46B7779B63495A8BDB279F2C.exe
1520	477DB3DE46B7779B63495A8BDB279F2C.exe
1520	477DB3DE46B7779B63495A8BDB279F2C.exe
1520	477DB3DE46B7779B63495A8BDB279F2C.exe
1520	477DB3DE46B7779B63495A8BDB279F2C.exe
1520	477DB3DE46B7779B63495A8BDB279F2C.exe
1520	477DB3DE46B7779B63495A8BDB279F2C.exe
1520	477DB3DE46B7779B63495A8BDB279F2C.exe
1520	477DB3DE46B7779B63495A8BDB279F2C.exe
1520	477DB3DE46B7779B63495A8BDB279F2C.exe
1520	477DB3DE46B7779B63495A8BDB279F2C.exe
1520	477DB3DE46B7779B63495A8BDB279F2C.exe
1520	477DB3DE46B7779B63495A8BDB279F2C.exe
1520	477DB3DE46B7779B63495A8BDB279F2C.exe
1520	477DB3DE46B7779B63495A8BDB279F2C.exe
1520	477DB3DE46B7779B63495A8BDB279F2C.exe
1520	477DB3DE46B7779B63495A8BDB279F2C.exe
1520	477DB3DE46B7779B63495A8BDB279F2C.exe
1520	477DB3DE46B7779B63495A8BDB279F2C.exe
1520	477DB3DE46B7779B63495A8BDB279F2C.exe
1520	477DB3DE46B7779B63495A8BDB279F2C.exe
1520	477DB3DE46B7779B63495A8BDB279F2C.exe
1520	477DB3DE46B7779B63495A8BDB279F2C.exe
1520	477DB3DE46B7779B63495A8BDB279F2C.exe
1520	477DB3DE46B7779B63495A8BDB279F2C.exe
1520	477DB3DE46B7779B63495A8BDB279F2C.exe
1616	powershell.exe
608	powershell.exe
1096	powershell.exe
2180	powershell.exe
1260	powershell.exe
528	powershell.exe
880	OSPPSVC.exe
880	OSPPSVC.exe
880	OSPPSVC.exe
880	OSPPSVC.exe
880	OSPPSVC.exe
880	OSPPSVC.exe
880	OSPPSVC.exe
880	OSPPSVC.exe
880	OSPPSVC.exe
880	OSPPSVC.exe
880	OSPPSVC.exe
880	OSPPSVC.exe
880	OSPPSVC.exe
880	OSPPSVC.exe
880	OSPPSVC.exe
880	OSPPSVC.exe
880	OSPPSVC.exe
880	OSPPSVC.exe
880	OSPPSVC.exe
880	OSPPSVC.exe
880	OSPPSVC.exe
880	OSPPSVC.exe
880	OSPPSVC.exe
880	OSPPSVC.exe
880	OSPPSVC.exe
880	OSPPSVC.exe
880	OSPPSVC.exe
880	OSPPSVC.exe
880	OSPPSVC.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
880	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1520	477DB3DE46B7779B63495A8BDB279F2C.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	608	powershell.exe
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	1260	powershell.exe
Token: SeDebugPrivilege	528	powershell.exe
Token: SeDebugPrivilege	880	OSPPSVC.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 2860	1520	477DB3DE46B7779B63495A8BDB279F2C.exe	34
PID 1520 wrote to memory of 2860	1520	477DB3DE46B7779B63495A8BDB279F2C.exe	34
PID 1520 wrote to memory of 2860	1520	477DB3DE46B7779B63495A8BDB279F2C.exe	34
PID 2860 wrote to memory of 2728	2860	csc.exe	36
PID 2860 wrote to memory of 2728	2860	csc.exe	36
PID 2860 wrote to memory of 2728	2860	csc.exe	36
PID 1520 wrote to memory of 608	1520	477DB3DE46B7779B63495A8BDB279F2C.exe	52
PID 1520 wrote to memory of 608	1520	477DB3DE46B7779B63495A8BDB279F2C.exe	52
PID 1520 wrote to memory of 608	1520	477DB3DE46B7779B63495A8BDB279F2C.exe	52
PID 1520 wrote to memory of 1096	1520	477DB3DE46B7779B63495A8BDB279F2C.exe	53
PID 1520 wrote to memory of 1096	1520	477DB3DE46B7779B63495A8BDB279F2C.exe	53
PID 1520 wrote to memory of 1096	1520	477DB3DE46B7779B63495A8BDB279F2C.exe	53
PID 1520 wrote to memory of 528	1520	477DB3DE46B7779B63495A8BDB279F2C.exe	54
PID 1520 wrote to memory of 528	1520	477DB3DE46B7779B63495A8BDB279F2C.exe	54
PID 1520 wrote to memory of 528	1520	477DB3DE46B7779B63495A8BDB279F2C.exe	54
PID 1520 wrote to memory of 2180	1520	477DB3DE46B7779B63495A8BDB279F2C.exe	55
PID 1520 wrote to memory of 2180	1520	477DB3DE46B7779B63495A8BDB279F2C.exe	55
PID 1520 wrote to memory of 2180	1520	477DB3DE46B7779B63495A8BDB279F2C.exe	55
PID 1520 wrote to memory of 1260	1520	477DB3DE46B7779B63495A8BDB279F2C.exe	56
PID 1520 wrote to memory of 1260	1520	477DB3DE46B7779B63495A8BDB279F2C.exe	56
PID 1520 wrote to memory of 1260	1520	477DB3DE46B7779B63495A8BDB279F2C.exe	56
PID 1520 wrote to memory of 1616	1520	477DB3DE46B7779B63495A8BDB279F2C.exe	57
PID 1520 wrote to memory of 1616	1520	477DB3DE46B7779B63495A8BDB279F2C.exe	57
PID 1520 wrote to memory of 1616	1520	477DB3DE46B7779B63495A8BDB279F2C.exe	57
PID 1520 wrote to memory of 492	1520	477DB3DE46B7779B63495A8BDB279F2C.exe	64
PID 1520 wrote to memory of 492	1520	477DB3DE46B7779B63495A8BDB279F2C.exe	64
PID 1520 wrote to memory of 492	1520	477DB3DE46B7779B63495A8BDB279F2C.exe	64
PID 492 wrote to memory of 1460	492	cmd.exe	66
PID 492 wrote to memory of 1460	492	cmd.exe	66
PID 492 wrote to memory of 1460	492	cmd.exe	66
PID 492 wrote to memory of 1068	492	cmd.exe	67
PID 492 wrote to memory of 1068	492	cmd.exe	67
PID 492 wrote to memory of 1068	492	cmd.exe	67
PID 492 wrote to memory of 880	492	cmd.exe	68
PID 492 wrote to memory of 880	492	cmd.exe	68
PID 492 wrote to memory of 880	492	cmd.exe	68

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\477DB3DE46B7779B63495A8BDB279F2C.exe
"C:\Users\Admin\AppData\Local\Temp\477DB3DE46B7779B63495A8BDB279F2C.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\52h0mlh5\52h0mlh5.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBFE5.tmp" "c:\Windows\System32\CSCCB4F0D28336345F7AD317DFE28E21C50.TMP"
    3⤵
    PID:2728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Start Menu\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\477DB3DE46B7779B63495A8BDB279F2C.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1616
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5n2Uw3l7AM.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:492
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1460
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1068
- - C:\Program Files (x86)\Windows Defender\OSPPSVC.exe
    "C:\Program Files (x86)\Windows Defender\OSPPSVC.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Start Menu\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Start Menu\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "477DB3DE46B7779B63495A8BDB279F2C4" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\477DB3DE46B7779B63495A8BDB279F2C.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "477DB3DE46B7779B63495A8BDB279F2C" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\477DB3DE46B7779B63495A8BDB279F2C.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "477DB3DE46B7779B63495A8BDB279F2C4" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\477DB3DE46B7779B63495A8BDB279F2C.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe

Filesize
1.6MB

MD5
477db3de46b7779b63495a8bdb279f2c

SHA1
77dc3f7d83728294c49298db82dd0e668adc3a73

SHA256
8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366

SHA512
4ac940fa7ce3c8a2a646639a5b00c5c8a1dcafcfba460782068446a321455cf5af10e1e6ae4e6753150beab7d2431a7c38192787b32c4e508b73f4b3ac843956

Download Submit
C:\Users\Admin\AppData\Local\Temp\5n2Uw3l7AM.bat

Filesize
179B

MD5
1c35ec4fd21c27fd5c42542a6702bb26

SHA1
e2f7898db3e563370be14bcccb7abe9f3bac6d15

SHA256
d3ec2622a84a9b4c94aec9109c62297524f0b307a98a5009341304ccb27ec920

SHA512
3db1a3c2362d7051448538a87561f25e2bb59ce442ef01cdc7b3b3f666703c7ec85a74ab9919fe2d4941e04a96a7c55526692731bcf48caa7d355555df81eec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBFE5.tmp

Filesize
1KB

MD5
b352c3ea754c6c3086916fcbb12f4b97

SHA1
1b2b92a11edb7fef216c7e26a9ad2aef0c757a28

SHA256
12c412859fe3514d91e22ebd8400b3b2bc0f6d8da28a6b5c99aea5f824ce0756

SHA512
29f6eb935e7e01df1c840c1531a91752cf68ec2d24c7a23989566f89421c2128f312b52569f9377ee19a690761a32a51f588fda10f6e5ae007a8ced5021b3933

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0e4c9a75a8f754f3ec1cfdf4f47fcb0f

SHA1
a6c56ac5b96039c956ebbceabb12bd616a33b29a

SHA256
1875985534bf76db6767dbad8fa17d87987e3ed3415f4f282d61926c84fc7a99

SHA512
040b1693814d02e3e326c7cc220244d6ff9e82428708a4ad676e112690210af129e0defdc4ba6778c858f40237efbd6025a4980e70d84705d0e4db4a4679047a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\52h0mlh5\52h0mlh5.0.cs

Filesize
389B

MD5
0d937c23e384cfb3d96a9d1a9a01cd3a

SHA1
9bcac4a80bb552d62f93ba2637bb071d54f578d2

SHA256
0856deec139b46facc936e95aecaf4d12f6b3620f08080745e291aa627d6f514

SHA512
d127596e2bc52dc44a0d755a359acbc5f1404a3b81a119e94feaa1189b2005e68a73f910b3028adb1da64335bfc7b69b0285d2c1a3f25e0d7f3562d1624d1c34

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\52h0mlh5\52h0mlh5.cmdline

Filesize
235B

MD5
53da1f0cbb77453f1962bcddd52489d3

SHA1
63e1234dec9dfb2e64c9b33bbf8e0758b11a00c9

SHA256
07bbbad53862ca2d6e58592f1485172259741d1a0dbb08d8d54ea30c4fb581f1

SHA512
579ce6ba6c248266a71dce12413418e492297f73172b21cf294f3e3d68beb9b0ed371e70745f50c7c58a1f0baacc6b59d5153358c7b6f31f5db42790428bc943

Download Submit
\??\c:\Windows\System32\CSCCB4F0D28336345F7AD317DFE28E21C50.TMP

Filesize
1KB

MD5
332eb1c3dc41d312a6495d9ea0a81166

SHA1
1d5c1b68be781b14620d9e98183506f8651f4afd

SHA256
bab20fa8251fcee3c944e76bdc082850ae4a32fd2eff761fec3bc445f58d11f2

SHA512
2c5ae1de2d4cb7f1e1540b455f7876eb1f494cda57bfb8e78a81aa01f3f453c5488b986cd170d6dc96bf684874c54257bfd0335a78764cc3fa43fe310a0cf440

Download Submit
memory/880-74-0x0000000000310000-0x00000000004BA000-memory.dmp

Filesize
1.7MB

Download
memory/1520-22-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1520-11-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1520-0-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

Filesize
4KB

Download
memory/1520-9-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1520-8-0x00000000003B0000-0x00000000003BC000-memory.dmp

Filesize
48KB

Download
memory/1520-6-0x00000000003A0000-0x00000000003AE000-memory.dmp

Filesize
56KB

Download
memory/1520-4-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1520-3-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1520-60-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1520-2-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1520-1-0x0000000001250000-0x00000000013FA000-memory.dmp

Filesize
1.7MB

Download
memory/1616-49-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/1616-59-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download