dcrat | 24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-11-2024 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
Size

775KB
MD5

0ed1f9cb842483e03e36cee538678ffd
SHA1

1d13a84aa671b75f66f4c7fce8339619291d4a43
SHA256

24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc
SHA512

78cb214db0ecbc532a50fc1344a138125e0031485c004e95bc21064165f9fd667fa582cd5196a6e1b4276b6dd7fa1d23dfabfe0c58b0d93fbf8e5329b064a809
SSDEEP

12288:FFg6HIZxWaga+z9e9qJeyLVqlUhqgPXdU2ypi0w8ncqXuvVw4heSNSzLz/:FIrr+h0qJeiqlGVUskcz9w4jI3b

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2496-20-0x0000000000400000-0x0000000000478000-memory.dmp	dcrat
behavioral1/memory/2496-18-0x0000000000400000-0x0000000000478000-memory.dmp	dcrat
behavioral1/memory/2496-16-0x0000000000400000-0x0000000000478000-memory.dmp	dcrat
behavioral1/memory/2496-13-0x0000000000400000-0x0000000000478000-memory.dmp	dcrat
behavioral1/memory/2496-12-0x0000000000400000-0x0000000000478000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2672 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

3028 csrss.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

960 cmd.exe

pid	process
2672	powershell.exe

pid	process
3028	csrss.exe

pid	process
960	cmd.exe

Drops file in System32 directory 5 IoCs

Processes:

24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe

description	ioc	process
File created	C:\Windows\SysWOW64\taskmgr\spoolsv.exe	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
File opened for modification	C:\Windows\SysWOW64\taskmgr\spoolsv.exe	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
File created	C:\Windows\SysWOW64\taskmgr\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
File created	C:\Windows\SysWOW64\wbem\fdSSDP\WmiPrvSE.exe	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
File created	C:\Windows\SysWOW64\wbem\fdSSDP\24dbde2999530ef5fd907494bc374d663924116c	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe

description	pid	process	target process
PID 2292 set thread context of 2496	2292	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe

Drops file in Program Files directory 4 IoCs

Processes:

24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe

description	ioc	process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\5940a34987c99120d96dace90a3f93f329dcad63	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\taskhost.exe	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\b75386f1303e64d8139363b71e44ac16341adf4e	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe

Drops file in Windows directory 2 IoCs

Processes:

24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe

description	ioc	process
File created	C:\Windows\setuperr\explorer.exe	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
File created	C:\Windows\setuperr\7a0fd90576e08807bde2cc57bcf9854bbce05fe3	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

schtasks.exeschtasks.execsrss.exeschtasks.exeschtasks.execmd.exePING.EXE24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exeschtasks.exeschtasks.exeschtasks.exe24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exeschtasks.exeschtasks.exechcp.compowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXE

pid process

2096 PING.EXE
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2096 PING.EXE

pid	process
2096	PING.EXE

pid	process
2096	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2596	schtasks.exe
708	schtasks.exe
2280	schtasks.exe
3032	schtasks.exe
2828	schtasks.exe
2020	schtasks.exe
1956	schtasks.exe
2984	schtasks.exe
2820	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exepowershell.exe24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe

pid	process
2292	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
2292	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
2292	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
2672	powershell.exe
2496	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exepowershell.exe24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe

description	pid	process
Token: SeDebugPrivilege	2292	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	2496	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe

description	pid	process	target process
PID 2292 wrote to memory of 2672	2292	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	powershell.exe
PID 2292 wrote to memory of 2672	2292	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	powershell.exe
PID 2292 wrote to memory of 2672	2292	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	powershell.exe
PID 2292 wrote to memory of 2672	2292	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	powershell.exe
PID 2292 wrote to memory of 2352	2292	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
PID 2292 wrote to memory of 2352	2292	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
PID 2292 wrote to memory of 2352	2292	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
PID 2292 wrote to memory of 2352	2292	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
PID 2292 wrote to memory of 1516	2292	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
PID 2292 wrote to memory of 1516	2292	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
PID 2292 wrote to memory of 1516	2292	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
PID 2292 wrote to memory of 1516	2292	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
PID 2292 wrote to memory of 2756	2292	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
PID 2292 wrote to memory of 2756	2292	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
PID 2292 wrote to memory of 2756	2292	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
PID 2292 wrote to memory of 2756	2292	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
PID 2292 wrote to memory of 2496	2292	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
PID 2292 wrote to memory of 2496	2292	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
PID 2292 wrote to memory of 2496	2292	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
PID 2292 wrote to memory of 2496	2292	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
PID 2292 wrote to memory of 2496	2292	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
PID 2292 wrote to memory of 2496	2292	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
PID 2292 wrote to memory of 2496	2292	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
PID 2292 wrote to memory of 2496	2292	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
PID 2292 wrote to memory of 2496	2292	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
PID 2496 wrote to memory of 2020	2496	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	schtasks.exe
PID 2496 wrote to memory of 2020	2496	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	schtasks.exe
PID 2496 wrote to memory of 2020	2496	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	schtasks.exe
PID 2496 wrote to memory of 2020	2496	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	schtasks.exe
PID 2496 wrote to memory of 1956	2496	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	schtasks.exe
PID 2496 wrote to memory of 1956	2496	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	schtasks.exe
PID 2496 wrote to memory of 1956	2496	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	schtasks.exe
PID 2496 wrote to memory of 1956	2496	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	schtasks.exe
PID 2496 wrote to memory of 2984	2496	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	schtasks.exe
PID 2496 wrote to memory of 2984	2496	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	schtasks.exe
PID 2496 wrote to memory of 2984	2496	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	schtasks.exe
PID 2496 wrote to memory of 2984	2496	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	schtasks.exe
PID 2496 wrote to memory of 2820	2496	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	schtasks.exe
PID 2496 wrote to memory of 2820	2496	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	schtasks.exe
PID 2496 wrote to memory of 2820	2496	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	schtasks.exe
PID 2496 wrote to memory of 2820	2496	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	schtasks.exe
PID 2496 wrote to memory of 3032	2496	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	schtasks.exe
PID 2496 wrote to memory of 3032	2496	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	schtasks.exe
PID 2496 wrote to memory of 3032	2496	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	schtasks.exe
PID 2496 wrote to memory of 3032	2496	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	schtasks.exe
PID 2496 wrote to memory of 2596	2496	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	schtasks.exe
PID 2496 wrote to memory of 2596	2496	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	schtasks.exe
PID 2496 wrote to memory of 2596	2496	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	schtasks.exe
PID 2496 wrote to memory of 2596	2496	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	schtasks.exe
PID 2496 wrote to memory of 708	2496	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	schtasks.exe
PID 2496 wrote to memory of 708	2496	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	schtasks.exe
PID 2496 wrote to memory of 708	2496	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	schtasks.exe
PID 2496 wrote to memory of 708	2496	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	schtasks.exe
PID 2496 wrote to memory of 2828	2496	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	schtasks.exe
PID 2496 wrote to memory of 2828	2496	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	schtasks.exe
PID 2496 wrote to memory of 2828	2496	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	schtasks.exe
PID 2496 wrote to memory of 2828	2496	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	schtasks.exe
PID 2496 wrote to memory of 2280	2496	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	schtasks.exe
PID 2496 wrote to memory of 2280	2496	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	schtasks.exe
PID 2496 wrote to memory of 2280	2496	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	schtasks.exe
PID 2496 wrote to memory of 2280	2496	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	schtasks.exe
PID 2496 wrote to memory of 960	2496	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	cmd.exe
PID 2496 wrote to memory of 960	2496	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	cmd.exe
PID 2496 wrote to memory of 960	2496	24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
"C:\Users\Admin\AppData\Local\Temp\24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2672
- C:\Users\Admin\AppData\Local\Temp\24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
  "C:\Users\Admin\AppData\Local\Temp\24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe"
  2⤵
  PID:2352
- C:\Users\Admin\AppData\Local\Temp\24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
  "C:\Users\Admin\AppData\Local\Temp\24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe"
  2⤵
  PID:1516
- C:\Users\Admin\AppData\Local\Temp\24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
  "C:\Users\Admin\AppData\Local\Temp\24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe"
  2⤵
  PID:2756
- C:\Users\Admin\AppData\Local\Temp\24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
  "C:\Users\Admin\AppData\Local\Temp\24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe"
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\taskmgr\spoolsv.exe'" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2020
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe'" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1956
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\spoolsv.exe'" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2984
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2820
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\fdSSDP\WmiPrvSE.exe'" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3032
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\taskhost.exe'" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2596
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\PerfLogs\Admin\WmiPrvSE.exe'" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:708
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\setuperr\explorer.exe'" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2828
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\ProgramData\Documents\csrss.exe'" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2280
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8rh3c5yM0i.bat"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:960
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:1424
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2096
  - - C:\ProgramData\Documents\csrss.exe
      "C:\ProgramData\Documents\csrss.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8rh3c5yM0i.bat

Filesize
200B

MD5
b747f0058cbc18c946808caca6e03c82

SHA1
985eea1e65d98cb1d5205bd50e67093e0a1315a2

SHA256
0ab37cc12436f4d4da6b01976359225a670b4ecd53f0747cb4aba7814257d1f0

SHA512
1d5e4175ff14d6be130184706ef9108188827335a3de266d30ff1ac8bb0d76a407054a26356fe106a69ce6f412e092ecd5b67478257bdb2999fa8469c141d1fb

Download Submit
C:\Windows\SysWOW64\wbem\fdSSDP\WmiPrvSE.exe

Filesize
775KB

MD5
0ed1f9cb842483e03e36cee538678ffd

SHA1
1d13a84aa671b75f66f4c7fce8339619291d4a43

SHA256
24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc

SHA512
78cb214db0ecbc532a50fc1344a138125e0031485c004e95bc21064165f9fd667fa582cd5196a6e1b4276b6dd7fa1d23dfabfe0c58b0d93fbf8e5329b064a809

Download Submit
memory/2292-22-0x0000000074E00000-0x00000000754EE000-memory.dmp

Filesize
6.9MB

Download
memory/2292-1-0x0000000000090000-0x0000000000154000-memory.dmp

Filesize
784KB

Download
memory/2292-2-0x0000000074E00000-0x00000000754EE000-memory.dmp

Filesize
6.9MB

Download
memory/2292-3-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2292-4-0x0000000074E0E000-0x0000000074E0F000-memory.dmp

Filesize
4KB

Download
memory/2292-5-0x0000000074E00000-0x00000000754EE000-memory.dmp

Filesize
6.9MB

Download
memory/2292-6-0x00000000052A0000-0x0000000005340000-memory.dmp

Filesize
640KB

Download
memory/2292-7-0x0000000004F80000-0x0000000005000000-memory.dmp

Filesize
512KB

Download
memory/2292-0-0x0000000074E0E000-0x0000000074E0F000-memory.dmp

Filesize
4KB

Download
memory/2496-16-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2496-13-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2496-12-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2496-10-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2496-8-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2496-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2496-21-0x0000000074E00000-0x00000000754EE000-memory.dmp

Filesize
6.9MB

Download
memory/2496-25-0x0000000074E00000-0x00000000754EE000-memory.dmp

Filesize
6.9MB

Download
memory/2496-18-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2496-49-0x0000000074E00000-0x00000000754EE000-memory.dmp

Filesize
6.9MB

Download
memory/2496-20-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3028-55-0x0000000001210000-0x00000000012D4000-memory.dmp

Filesize
784KB

Download