dcrat | a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469

Analysis

max time kernel
132s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2024 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d756772bc00e5778d794c107358ddf7.exe
Size

1.9MB
MD5

2d756772bc00e5778d794c107358ddf7
SHA1

77229fc9ceeb137c6644a4fa3085aecabaf94ec3
SHA256

a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469
SHA512

31fae1a50618ed221cef3bfc72a017e8e925c3aa2bac727040ee655d9dff567813e91d76fecda0478653d50b8061481447ded77939b94e1ec823c3419b68c783
SSDEEP

24576:S1cKuEoW9iN0TvOJcaCXMgg2Suqp6Nheem6Vuuean7WiOLYGhYJG9oQpyhctpnWq:wb24KbkglgVMm9OAG9oMgctpnW5yI4

Score

10^/10

dcrat execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

2d756772bc00e5778d794c107358ddf7.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Pictures\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows NT\\sysmon.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\SearchApp.exe\""	2d756772bc00e5778d794c107358ddf7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Pictures\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows NT\\sysmon.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	2d756772bc00e5778d794c107358ddf7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Pictures\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows NT\\sysmon.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\2d756772bc00e5778d794c107358ddf7.exe\""	2d756772bc00e5778d794c107358ddf7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Pictures\\dwm.exe\""	2d756772bc00e5778d794c107358ddf7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Pictures\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\""	2d756772bc00e5778d794c107358ddf7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Pictures\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows NT\\sysmon.exe\""	2d756772bc00e5778d794c107358ddf7.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	2124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4144	2124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4004	2124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	2124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	2124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	2124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3640	2124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	2124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3724	2124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4136	2124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3332	2124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4152	2124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2124	schtasks.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

1712 powershell.exe
2168 powershell.exe
1520 powershell.exe
1532 powershell.exe
1572 powershell.exe
208 powershell.exe

pid	process
1712	powershell.exe
2168	powershell.exe
1520	powershell.exe
1532	powershell.exe
1572	powershell.exe
208	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2d756772bc00e5778d794c107358ddf7.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	2d756772bc00e5778d794c107358ddf7.exe

Executes dropped EXE 1 IoCs

Processes:

dwm.exe

pid process

972 dwm.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
972	dwm.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2d756772bc00e5778d794c107358ddf7.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Default\\Pictures\\dwm.exe\""	2d756772bc00e5778d794c107358ddf7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\SearchApp.exe\""	2d756772bc00e5778d794c107358ddf7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2d756772bc00e5778d794c107358ddf7 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2d756772bc00e5778d794c107358ddf7.exe\""	2d756772bc00e5778d794c107358ddf7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2d756772bc00e5778d794c107358ddf7 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2d756772bc00e5778d794c107358ddf7.exe\""	2d756772bc00e5778d794c107358ddf7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	2d756772bc00e5778d794c107358ddf7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	2d756772bc00e5778d794c107358ddf7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Default\\Pictures\\dwm.exe\""	2d756772bc00e5778d794c107358ddf7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Recovery\\WindowsRE\\taskhostw.exe\""	2d756772bc00e5778d794c107358ddf7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Recovery\\WindowsRE\\taskhostw.exe\""	2d756772bc00e5778d794c107358ddf7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files (x86)\\Windows NT\\sysmon.exe\""	2d756772bc00e5778d794c107358ddf7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files (x86)\\Windows NT\\sysmon.exe\""	2d756772bc00e5778d794c107358ddf7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\SearchApp.exe\""	2d756772bc00e5778d794c107358ddf7.exe

Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

43 ipinfo.io
14 ipinfo.io
15 ipinfo.io
42 ipinfo.io

flow	ioc
43	ipinfo.io
14	ipinfo.io
15	ipinfo.io
42	ipinfo.io

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	process
File created	\??\c:\Windows\System32\lhkpi-.exe	csc.exe
File created	\??\c:\Windows\System32\CSCE9775499A1F341F49FFB42D3A3EE0E6.TMP	csc.exe

Drops file in Program Files directory 4 IoCs

Processes:

2d756772bc00e5778d794c107358ddf7.exe

description	ioc	process
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\SearchApp.exe	2d756772bc00e5778d794c107358ddf7.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\38384e6a620884	2d756772bc00e5778d794c107358ddf7.exe
File created	C:\Program Files (x86)\Windows NT\sysmon.exe	2d756772bc00e5778d794c107358ddf7.exe
File created	C:\Program Files (x86)\Windows NT\121e5b5079f7c0	2d756772bc00e5778d794c107358ddf7.exe

Drops file in Windows directory 2 IoCs

Processes:

2d756772bc00e5778d794c107358ddf7.exe

description	ioc	process
File created	C:\Windows\WaaS\services\SppExtComObj.exe	2d756772bc00e5778d794c107358ddf7.exe
File created	C:\Windows\ServiceState\EventLog\Data\RuntimeBroker.exe	2d756772bc00e5778d794c107358ddf7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

2d756772bc00e5778d794c107358ddf7.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	2d756772bc00e5778d794c107358ddf7.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
3640	schtasks.exe
1524	schtasks.exe
4136	schtasks.exe
3332	schtasks.exe
2120	schtasks.exe
4152	schtasks.exe
4144	schtasks.exe
4004	schtasks.exe
4912	schtasks.exe
4736	schtasks.exe
4548	schtasks.exe
2388	schtasks.exe
4336	schtasks.exe
2560	schtasks.exe
4724	schtasks.exe
2092	schtasks.exe
3724	schtasks.exe
2176	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2d756772bc00e5778d794c107358ddf7.exe

pid	process
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe
3696	2d756772bc00e5778d794c107358ddf7.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dwm.exe

pid process

972 dwm.exe

pid	process
972	dwm.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

2d756772bc00e5778d794c107358ddf7.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedwm.exe

description	pid	process
Token: SeDebugPrivilege	3696	2d756772bc00e5778d794c107358ddf7.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	208	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	972	dwm.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

2d756772bc00e5778d794c107358ddf7.execsc.execmd.exe

description	pid	process	target process
PID 3696 wrote to memory of 2032	3696	2d756772bc00e5778d794c107358ddf7.exe	csc.exe
PID 3696 wrote to memory of 2032	3696	2d756772bc00e5778d794c107358ddf7.exe	csc.exe
PID 2032 wrote to memory of 2884	2032	csc.exe	cvtres.exe
PID 2032 wrote to memory of 2884	2032	csc.exe	cvtres.exe
PID 3696 wrote to memory of 1712	3696	2d756772bc00e5778d794c107358ddf7.exe	powershell.exe
PID 3696 wrote to memory of 1712	3696	2d756772bc00e5778d794c107358ddf7.exe	powershell.exe
PID 3696 wrote to memory of 2168	3696	2d756772bc00e5778d794c107358ddf7.exe	powershell.exe
PID 3696 wrote to memory of 2168	3696	2d756772bc00e5778d794c107358ddf7.exe	powershell.exe
PID 3696 wrote to memory of 1520	3696	2d756772bc00e5778d794c107358ddf7.exe	powershell.exe
PID 3696 wrote to memory of 1520	3696	2d756772bc00e5778d794c107358ddf7.exe	powershell.exe
PID 3696 wrote to memory of 1532	3696	2d756772bc00e5778d794c107358ddf7.exe	powershell.exe
PID 3696 wrote to memory of 1532	3696	2d756772bc00e5778d794c107358ddf7.exe	powershell.exe
PID 3696 wrote to memory of 1572	3696	2d756772bc00e5778d794c107358ddf7.exe	powershell.exe
PID 3696 wrote to memory of 1572	3696	2d756772bc00e5778d794c107358ddf7.exe	powershell.exe
PID 3696 wrote to memory of 208	3696	2d756772bc00e5778d794c107358ddf7.exe	powershell.exe
PID 3696 wrote to memory of 208	3696	2d756772bc00e5778d794c107358ddf7.exe	powershell.exe
PID 3696 wrote to memory of 1896	3696	2d756772bc00e5778d794c107358ddf7.exe	cmd.exe
PID 3696 wrote to memory of 1896	3696	2d756772bc00e5778d794c107358ddf7.exe	cmd.exe
PID 1896 wrote to memory of 3036	1896	cmd.exe	chcp.com
PID 1896 wrote to memory of 3036	1896	cmd.exe	chcp.com
PID 1896 wrote to memory of 3404	1896	cmd.exe	w32tm.exe
PID 1896 wrote to memory of 3404	1896	cmd.exe	w32tm.exe
PID 1896 wrote to memory of 972	1896	cmd.exe	dwm.exe
PID 1896 wrote to memory of 972	1896	cmd.exe	dwm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2d756772bc00e5778d794c107358ddf7.exe
"C:\Users\Admin\AppData\Local\Temp\2d756772bc00e5778d794c107358ddf7.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3696
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0ud3xlmm\0ud3xlmm.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD8EB.tmp" "c:\Windows\System32\CSCE9775499A1F341F49FFB42D3A3EE0E6.TMP"
    3⤵
    PID:2884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2d756772bc00e5778d794c107358ddf7.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:208
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gD3w79rvHf.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3036
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3404
- - C:\Users\Default\Pictures\dwm.exe
    "C:\Users\Default\Pictures\dwm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Pictures\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Pictures\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Pictures\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2d756772bc00e5778d794c107358ddf72" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\2d756772bc00e5778d794c107358ddf7.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2d756772bc00e5778d794c107358ddf7" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\2d756772bc00e5778d794c107358ddf7.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2d756772bc00e5778d794c107358ddf72" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\2d756772bc00e5778d794c107358ddf7.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD8EB.tmp

Filesize
1KB

MD5
d3f29229a436468d08bcd8681d2c22c4

SHA1
8dba7856aa721b3689bb1ef1d4378e1ba7ff70f8

SHA256
3760fa90a828ed8d3060e46a01efef3061b14f4a01e76563e448a9ef53304a15

SHA512
b8bdb5cc70404fb94a0ee4690adb684a2171085eabc6fbbb14768d8b66ccf68e08221e3a57019040d1cdd03c0fb9ffaf75b71bfc5bf19ef8be76e19ea33902f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qy0blpeo.dis.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gD3w79rvHf.bat

Filesize
209B

MD5
9ed8c6c6c24a50affc65ee1488f23528

SHA1
c802be19e82c4fa8fab14369c48a57e7c1197255

SHA256
f92392be9a1996f34a33c20e33a572fb0e3a0757540d681fcc0fa84858afe2f3

SHA512
8cf18997117ba25b529452ace957013306ea8959df810e148618b8178e601533a48a121d418f43689fac2e4981677ab319e1425df3d301d2ec8481129717a72e

Download Submit
C:\Users\Default\Pictures\dwm.exe

Filesize
1.9MB

MD5
2d756772bc00e5778d794c107358ddf7

SHA1
77229fc9ceeb137c6644a4fa3085aecabaf94ec3

SHA256
a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469

SHA512
31fae1a50618ed221cef3bfc72a017e8e925c3aa2bac727040ee655d9dff567813e91d76fecda0478653d50b8061481447ded77939b94e1ec823c3419b68c783

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0ud3xlmm\0ud3xlmm.0.cs

Filesize
365B

MD5
8c024e8068db50b3b324eb155ae9ad1c

SHA1
1f2aa5cddf9ebbbc19f767a0dc2fcf25cf274c72

SHA256
9121f0c9175aae080903c02a22392b6a732e7dcec0a344e6c2efe55c5a0c8781

SHA512
349cc317bdfd59a220d5fafabe92ca13d4563b532c0f38043c8b27950600035a1cf16e9c79a2b5ce2abea911c4c63d30f6a401cefcbf70b68d6f0e37c872af72

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0ud3xlmm\0ud3xlmm.cmdline

Filesize
235B

MD5
ac108600f4375570fa6b7bea0bcd3481

SHA1
814d96662818d68d147d1806288c1699b9d324a4

SHA256
dbf8b634d6c3718fb04937fd72d7cefdd3b3ecc3a99ebf4b84d88e85eb41f66b

SHA512
b6532e862aef6f9e6a81d05e1184adb42cde5e659d6ebe7e382ffc20a38431b6bcfb42f237f9c92e8e1f681f2e8060f21217c5dbc62742c17cd4ef1e173a4dce

Download Submit
\??\c:\Windows\System32\CSCE9775499A1F341F49FFB42D3A3EE0E6.TMP

Filesize
1KB

MD5
75e32610d8ef6143201c7c28465fcda9

SHA1
b2bae99fade2dda07aecbe1659d184be0fc4e7a6

SHA256
97ee1cac3965d9cc55a60f20206f384719431f19ac96bdc52b93a98de51a639b

SHA512
b303fb99586efd19a08223ba93472fa6d33fcf9198bbf42fb16ba61001db59e5fd5835ea7696ed34e4004d23fa60697e724e6085d1269d788204bf95dfe46abc

Download Submit
memory/208-62-0x000001E7AC030000-0x000001E7AC052000-memory.dmp

Filesize
136KB

Download
memory/3696-10-0x000000001B4F0000-0x000000001B50C000-memory.dmp

Filesize
112KB

Download
memory/3696-16-0x000000001B530000-0x000000001B542000-memory.dmp

Filesize
72KB

Download
memory/3696-18-0x000000001BE00000-0x000000001C328000-memory.dmp

Filesize
5.2MB

Download
memory/3696-20-0x000000001B4D0000-0x000000001B4D8000-memory.dmp

Filesize
32KB

Download
memory/3696-21-0x00007FFCC9ED0000-0x00007FFCCA991000-memory.dmp

Filesize
10.8MB

Download
memory/3696-23-0x000000001B4E0000-0x000000001B4EC000-memory.dmp

Filesize
48KB

Download
memory/3696-25-0x00007FFCC9ED0000-0x00007FFCCA991000-memory.dmp

Filesize
10.8MB

Download
memory/3696-32-0x00007FFCC9ED0000-0x00007FFCCA991000-memory.dmp

Filesize
10.8MB

Download
memory/3696-12-0x000000001B880000-0x000000001B8D0000-memory.dmp

Filesize
320KB

Download
memory/3696-40-0x00007FFCC9ED0000-0x00007FFCCA991000-memory.dmp

Filesize
10.8MB

Download
memory/3696-41-0x00007FFCC9ED0000-0x00007FFCCA991000-memory.dmp

Filesize
10.8MB

Download
memory/3696-17-0x00007FFCC9ED0000-0x00007FFCCA991000-memory.dmp

Filesize
10.8MB

Download
memory/3696-14-0x000000001B510000-0x000000001B528000-memory.dmp

Filesize
96KB

Download
memory/3696-11-0x00007FFCC9ED0000-0x00007FFCCA991000-memory.dmp

Filesize
10.8MB

Download
memory/3696-0-0x00007FFCC9ED3000-0x00007FFCC9ED5000-memory.dmp

Filesize
8KB

Download
memory/3696-56-0x00007FFCC9ED0000-0x00007FFCCA991000-memory.dmp

Filesize
10.8MB

Download
memory/3696-8-0x00007FFCC9ED0000-0x00007FFCCA991000-memory.dmp

Filesize
10.8MB

Download
memory/3696-7-0x00007FFCC9ED0000-0x00007FFCCA991000-memory.dmp

Filesize
10.8MB

Download
memory/3696-6-0x0000000002940000-0x000000000294E000-memory.dmp

Filesize
56KB

Download
memory/3696-4-0x00007FFCC9ED0000-0x00007FFCCA991000-memory.dmp

Filesize
10.8MB

Download
memory/3696-3-0x00007FFCC9ED0000-0x00007FFCCA991000-memory.dmp

Filesize
10.8MB

Download
memory/3696-2-0x00007FFCC9ED0000-0x00007FFCCA991000-memory.dmp

Filesize
10.8MB

Download
memory/3696-1-0x00000000006E0000-0x00000000008CE000-memory.dmp

Filesize
1.9MB

Download