dcrat | a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469

Analysis

max time kernel
144s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2024 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d756772bc00e5778d794c107358ddf7.exe
Size

1.9MB
MD5

2d756772bc00e5778d794c107358ddf7
SHA1

77229fc9ceeb137c6644a4fa3085aecabaf94ec3
SHA256

a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469
SHA512

31fae1a50618ed221cef3bfc72a017e8e925c3aa2bac727040ee655d9dff567813e91d76fecda0478653d50b8061481447ded77939b94e1ec823c3419b68c783
SSDEEP

24576:S1cKuEoW9iN0TvOJcaCXMgg2Suqp6Nheem6Vuuean7WiOLYGhYJG9oQpyhctpnWq:wb24KbkglgVMm9OAG9oMgctpnW5yI4

Score

10^/10

dcrat execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

2d756772bc00e5778d794c107358ddf7.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Videos\\smss.exe\""	2d756772bc00e5778d794c107358ddf7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Videos\\smss.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\""	2d756772bc00e5778d794c107358ddf7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Videos\\smss.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\spoolsv.exe\""	2d756772bc00e5778d794c107358ddf7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Videos\\smss.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\spoolsv.exe\", \"C:\\Users\\Default User\\sysmon.exe\""	2d756772bc00e5778d794c107358ddf7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Videos\\smss.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\spoolsv.exe\", \"C:\\Users\\Default User\\sysmon.exe\", \"C:\\Users\\Admin\\Downloads\\services.exe\""	2d756772bc00e5778d794c107358ddf7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Videos\\smss.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\spoolsv.exe\", \"C:\\Users\\Default User\\sysmon.exe\", \"C:\\Users\\Admin\\Downloads\\services.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\2d756772bc00e5778d794c107358ddf7.exe\""	2d756772bc00e5778d794c107358ddf7.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	3024	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	3024	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3376	3024	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3204	3024	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	3024	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	3024	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	3024	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	3024	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	3024	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	3024	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	3024	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	3024	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	3024	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	3024	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	3024	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	3024	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3528	3024	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	3024	schtasks.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

4912 powershell.exe
2260 powershell.exe
4584 powershell.exe
1016 powershell.exe
2904 powershell.exe
3544 powershell.exe

pid	process
4912	powershell.exe
2260	powershell.exe
4584	powershell.exe
1016	powershell.exe
2904	powershell.exe
3544	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2d756772bc00e5778d794c107358ddf7.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	2d756772bc00e5778d794c107358ddf7.exe

Executes dropped EXE 1 IoCs

Processes:

upfc.exe

pid process

1956 upfc.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
1956	upfc.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2d756772bc00e5778d794c107358ddf7.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2d756772bc00e5778d794c107358ddf7 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2d756772bc00e5778d794c107358ddf7.exe\""	2d756772bc00e5778d794c107358ddf7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2d756772bc00e5778d794c107358ddf7 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2d756772bc00e5778d794c107358ddf7.exe\""	2d756772bc00e5778d794c107358ddf7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Admin\\Videos\\smss.exe\""	2d756772bc00e5778d794c107358ddf7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Recovery\\WindowsRE\\upfc.exe\""	2d756772bc00e5778d794c107358ddf7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\spoolsv.exe\""	2d756772bc00e5778d794c107358ddf7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Users\\Default User\\sysmon.exe\""	2d756772bc00e5778d794c107358ddf7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Admin\\Downloads\\services.exe\""	2d756772bc00e5778d794c107358ddf7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Admin\\Videos\\smss.exe\""	2d756772bc00e5778d794c107358ddf7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Recovery\\WindowsRE\\upfc.exe\""	2d756772bc00e5778d794c107358ddf7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\spoolsv.exe\""	2d756772bc00e5778d794c107358ddf7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Users\\Default User\\sysmon.exe\""	2d756772bc00e5778d794c107358ddf7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Admin\\Downloads\\services.exe\""	2d756772bc00e5778d794c107358ddf7.exe

Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

17 ipinfo.io
18 ipinfo.io
44 ipinfo.io
45 ipinfo.io

flow	ioc
17	ipinfo.io
18	ipinfo.io
44	ipinfo.io
45	ipinfo.io

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	process
File created	\??\c:\Windows\System32\CSCE5CEE1541E2D476FA16BD463D5834231.TMP	csc.exe
File created	\??\c:\Windows\System32\ovufcs.exe	csc.exe

Drops file in Program Files directory 3 IoCs

Processes:

2d756772bc00e5778d794c107358ddf7.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\spoolsv.exe	2d756772bc00e5778d794c107358ddf7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\f3b6ecef712a24	2d756772bc00e5778d794c107358ddf7.exe
File created	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\SearchApp.exe	2d756772bc00e5778d794c107358ddf7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

2d756772bc00e5778d794c107358ddf7.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	2d756772bc00e5778d794c107358ddf7.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
212	schtasks.exe
4104	schtasks.exe
2996	schtasks.exe
3376	schtasks.exe
996	schtasks.exe
1064	schtasks.exe
1540	schtasks.exe
4476	schtasks.exe
812	schtasks.exe
1620	schtasks.exe
1124	schtasks.exe
2216	schtasks.exe
4896	schtasks.exe
2548	schtasks.exe
2980	schtasks.exe
3528	schtasks.exe
3204	schtasks.exe
3136	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2d756772bc00e5778d794c107358ddf7.exe

pid	process
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe
2912	2d756772bc00e5778d794c107358ddf7.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

upfc.exe

pid process

1956 upfc.exe

pid	process
1956	upfc.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

2d756772bc00e5778d794c107358ddf7.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeupfc.exe

description	pid	process
Token: SeDebugPrivilege	2912	2d756772bc00e5778d794c107358ddf7.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	4584	powershell.exe
Token: SeDebugPrivilege	3544	powershell.exe
Token: SeDebugPrivilege	1016	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	4912	powershell.exe
Token: SeDebugPrivilege	1956	upfc.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

2d756772bc00e5778d794c107358ddf7.execsc.execmd.exe

description	pid	process	target process
PID 2912 wrote to memory of 624	2912	2d756772bc00e5778d794c107358ddf7.exe	csc.exe
PID 2912 wrote to memory of 624	2912	2d756772bc00e5778d794c107358ddf7.exe	csc.exe
PID 624 wrote to memory of 2692	624	csc.exe	cvtres.exe
PID 624 wrote to memory of 2692	624	csc.exe	cvtres.exe
PID 2912 wrote to memory of 4912	2912	2d756772bc00e5778d794c107358ddf7.exe	powershell.exe
PID 2912 wrote to memory of 4912	2912	2d756772bc00e5778d794c107358ddf7.exe	powershell.exe
PID 2912 wrote to memory of 3544	2912	2d756772bc00e5778d794c107358ddf7.exe	powershell.exe
PID 2912 wrote to memory of 3544	2912	2d756772bc00e5778d794c107358ddf7.exe	powershell.exe
PID 2912 wrote to memory of 2904	2912	2d756772bc00e5778d794c107358ddf7.exe	powershell.exe
PID 2912 wrote to memory of 2904	2912	2d756772bc00e5778d794c107358ddf7.exe	powershell.exe
PID 2912 wrote to memory of 1016	2912	2d756772bc00e5778d794c107358ddf7.exe	powershell.exe
PID 2912 wrote to memory of 1016	2912	2d756772bc00e5778d794c107358ddf7.exe	powershell.exe
PID 2912 wrote to memory of 4584	2912	2d756772bc00e5778d794c107358ddf7.exe	powershell.exe
PID 2912 wrote to memory of 4584	2912	2d756772bc00e5778d794c107358ddf7.exe	powershell.exe
PID 2912 wrote to memory of 2260	2912	2d756772bc00e5778d794c107358ddf7.exe	powershell.exe
PID 2912 wrote to memory of 2260	2912	2d756772bc00e5778d794c107358ddf7.exe	powershell.exe
PID 2912 wrote to memory of 2820	2912	2d756772bc00e5778d794c107358ddf7.exe	cmd.exe
PID 2912 wrote to memory of 2820	2912	2d756772bc00e5778d794c107358ddf7.exe	cmd.exe
PID 2820 wrote to memory of 3152	2820	cmd.exe	chcp.com
PID 2820 wrote to memory of 3152	2820	cmd.exe	chcp.com
PID 2820 wrote to memory of 992	2820	cmd.exe	w32tm.exe
PID 2820 wrote to memory of 992	2820	cmd.exe	w32tm.exe
PID 2820 wrote to memory of 1956	2820	cmd.exe	upfc.exe
PID 2820 wrote to memory of 1956	2820	cmd.exe	upfc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2d756772bc00e5778d794c107358ddf7.exe
"C:\Users\Admin\AppData\Local\Temp\2d756772bc00e5778d794c107358ddf7.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j5dzw1x0\j5dzw1x0.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES981.tmp" "c:\Windows\System32\CSCE5CEE1541E2D476FA16BD463D5834231.TMP"
    3⤵
    PID:2692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Videos\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2d756772bc00e5778d794c107358ddf7.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2260
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R8R7dO6jYC.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3152
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:992
- - C:\Recovery\WindowsRE\upfc.exe
    "C:\Recovery\WindowsRE\upfc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Videos\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\Videos\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Videos\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Downloads\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Downloads\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2d756772bc00e5778d794c107358ddf72" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\2d756772bc00e5778d794c107358ddf7.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2d756772bc00e5778d794c107358ddf7" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\2d756772bc00e5778d794c107358ddf7.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2d756772bc00e5778d794c107358ddf72" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\2d756772bc00e5778d794c107358ddf7.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
81df8c4b456fb7d11618bf842699b06a

SHA1
b1dfabc024b75879d00c0cb3228425f850544de1

SHA256
c8cd0ba7c42b909850ff2d0fdc077983d840aadc1de7f0ea89b03fb5faa44176

SHA512
74f995c0b2d85ce4a1ee22a02688feb0e31ffb8d63db8067fe7f848bd5070798be6d3ba2b318024dc2254f437e34b1706b98cb202000073d2b7936a630e5f97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\R8R7dO6jYC.bat

Filesize
206B

MD5
0ca008be391220b7ee565396b2c0d1f1

SHA1
c5cd08239cd91e3b4fd7dde9b6bc015821d59b4d

SHA256
3c5f8793ffe9996a9041c90bc559b10ff0d9e7b0f495855824f10903590a62bc

SHA512
5a9de3d272437cfd279e37975e26bea72611afb2e4a49deed6459f1d026aa4d7c90d85e468de085b1f7697ceeebda82f7ab3905b85c8ea1ff550390e1b0eeb25

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES981.tmp

Filesize
1KB

MD5
43ae6985d8c84512e0ff01eb48165609

SHA1
880db1b76a85590ae24f5703bda37082ed9bf787

SHA256
cd7418470c9828308664f31e0f36f056f1982b325780d754acf9221f535af363

SHA512
e3227af0df25a73c354e7473c0265a132cdb6d44d09bff956c4ba1234cd4f2d57783a0b8faa75550db92c62e484b27fdd98d0bfcb6b1ee4a67d738ac84e5b715

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1nv4zwir.qn2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Videos\smss.exe

Filesize
1.9MB

MD5
2d756772bc00e5778d794c107358ddf7

SHA1
77229fc9ceeb137c6644a4fa3085aecabaf94ec3

SHA256
a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469

SHA512
31fae1a50618ed221cef3bfc72a017e8e925c3aa2bac727040ee655d9dff567813e91d76fecda0478653d50b8061481447ded77939b94e1ec823c3419b68c783

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j5dzw1x0\j5dzw1x0.0.cs

Filesize
362B

MD5
5842a9e93a9eafd90e20b6002b423051

SHA1
dd02a044dcf0acb169a12857560b210a2070138a

SHA256
5790400ea64046df7ad7c5559a0f69d5e795f874b1ece0dce550c77be1c1bf9c

SHA512
7a1752de33cdaf649bd7bb003d1fc84422cd5ddee1426ce3dfb0965da2f02b7af3bbdee4b30b98e75be7e2c2b103ed549bc7478feddc39afbc10730dd26d522b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j5dzw1x0\j5dzw1x0.cmdline

Filesize
235B

MD5
9850dc5836b74bea5e114595c4fc9063

SHA1
2802ceeb21d6d21d9dcc22337d3fcf4f59321d84

SHA256
42c8c629f30124ee44f6cc5f31352399f97eded4f8fcaa6ab812e6bf8711e50c

SHA512
70d0984e1651fc1cfea0b3df6d99e6a046bd2c2f7a5458d3cb5df2f5596cf8b49ada63c71b375ea71e994ab43f1884cbe255b06e7688d1b0dcde864af4b1c75a

Download Submit
\??\c:\Windows\System32\CSCE5CEE1541E2D476FA16BD463D5834231.TMP

Filesize
1KB

MD5
1c519e4618f2b468d0f490d4a716da11

SHA1
1a693d0046e48fa813e4fa3bb94ccd20d43e3106

SHA256
4dbf16e3b3bb06c98eeaf27d0a25d9f34ee0ceac51e6365218ef7cd09edb3438

SHA512
99f293878a08b56db6ff2297f243f5f5b85864e6925a1d6af61a65369f7eb323ae1b75fe5f1465fac0b982ac9f49b9e0a295b5dac947da40f61991c4411233fd

Download Submit
memory/2912-23-0x0000000002DE0000-0x0000000002DEC000-memory.dmp

Filesize
48KB

Download
memory/2912-13-0x0000000002E20000-0x0000000002E38000-memory.dmp

Filesize
96KB

Download
memory/2912-16-0x000000001B930000-0x000000001B942000-memory.dmp

Filesize
72KB

Download
memory/2912-18-0x00007FF8AC370000-0x00007FF8ACE31000-memory.dmp

Filesize
10.8MB

Download
memory/2912-19-0x000000001C230000-0x000000001C758000-memory.dmp

Filesize
5.2MB

Download
memory/2912-21-0x0000000002DD0000-0x0000000002DD8000-memory.dmp

Filesize
32KB

Download
memory/2912-24-0x00007FF8AC370000-0x00007FF8ACE31000-memory.dmp

Filesize
10.8MB

Download
memory/2912-0-0x00007FF8AC373000-0x00007FF8AC375000-memory.dmp

Filesize
8KB

Download
memory/2912-36-0x00007FF8AC370000-0x00007FF8ACE31000-memory.dmp

Filesize
10.8MB

Download
memory/2912-9-0x0000000002E00000-0x0000000002E1C000-memory.dmp

Filesize
112KB

Download
memory/2912-37-0x00007FF8AC370000-0x00007FF8ACE31000-memory.dmp

Filesize
10.8MB

Download
memory/2912-38-0x00007FF8AC370000-0x00007FF8ACE31000-memory.dmp

Filesize
10.8MB

Download
memory/2912-11-0x000000001BCB0000-0x000000001BD00000-memory.dmp

Filesize
320KB

Download
memory/2912-17-0x00007FF8AC370000-0x00007FF8ACE31000-memory.dmp

Filesize
10.8MB

Download
memory/2912-14-0x00007FF8AC370000-0x00007FF8ACE31000-memory.dmp

Filesize
10.8MB

Download
memory/2912-10-0x00007FF8AC370000-0x00007FF8ACE31000-memory.dmp

Filesize
10.8MB

Download
memory/2912-51-0x00007FF8AC373000-0x00007FF8AC375000-memory.dmp

Filesize
8KB

Download
memory/2912-52-0x00007FF8AC370000-0x00007FF8ACE31000-memory.dmp

Filesize
10.8MB

Download
memory/2912-1-0x0000000000AC0000-0x0000000000CAE000-memory.dmp

Filesize
1.9MB

Download
memory/2912-7-0x00007FF8AC370000-0x00007FF8ACE31000-memory.dmp

Filesize
10.8MB

Download
memory/2912-77-0x00007FF8AC370000-0x00007FF8ACE31000-memory.dmp

Filesize
10.8MB

Download
memory/2912-6-0x0000000002DC0000-0x0000000002DCE000-memory.dmp

Filesize
56KB

Download
memory/2912-4-0x00007FF8AC370000-0x00007FF8ACE31000-memory.dmp

Filesize
10.8MB

Download
memory/2912-3-0x00007FF8AC370000-0x00007FF8ACE31000-memory.dmp

Filesize
10.8MB

Download
memory/2912-2-0x00007FF8AC370000-0x00007FF8ACE31000-memory.dmp

Filesize
10.8MB

Download
memory/3544-67-0x0000027483570000-0x0000027483592000-memory.dmp

Filesize
136KB

Download