dcrat | 0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe
Size

1.7MB
MD5

69bb335d9d60e6399c45414909b3d9e2
SHA1

a9df4481f968c986a1fa1570fb021b79ac0cfb07
SHA256

0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47
SHA512

af3f6c93bf09e27f3de0b13a724a1580f98579cc381507021fccd6686eb8f3f74dc845efb5bea00da94dd41cabb66e83c368befc0219724c2430044129a2660e
SSDEEP

24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJQ:NgwuuEpdDLNwVMeXDL0fdSzAG3

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2068	schtasks.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2200-1-0x0000000000910000-0x0000000000AC6000-memory.dmp	dcrat
C:\Users\Admin\AppData\Local\Temp\RCXE9C4.tmp	dcrat
C:\Users\Default\lsm.exe	dcrat
behavioral1/memory/2312-149-0x0000000000C40000-0x0000000000DF6000-memory.dmp	dcrat
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2968	powershell.exe
3004	powershell.exe
2416	powershell.exe
3028	powershell.exe
1764	powershell.exe
1988	powershell.exe
1972	powershell.exe
2004	powershell.exe
2264	powershell.exe
2420	powershell.exe
2916	powershell.exe
2636	powershell.exe

Drops file in Drivers directory 1 IoCs

Processes:

0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe

Executes dropped EXE 2 IoCs

Processes:

System.exeSystem.exe

pid process

2312 System.exe
2776 System.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2312	System.exe
2776	System.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2708	schtasks.exe
2204	schtasks.exe
2720	schtasks.exe
2820	schtasks.exe
2888	schtasks.exe
2856	schtasks.exe
2728	schtasks.exe
2116	schtasks.exe
2904	schtasks.exe
2952	schtasks.exe
2712	schtasks.exe
2680	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSystem.exe

pid	process
2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe
2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe
2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe
2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe
2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe
2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe
2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe
2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe
2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe
2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe
2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe
2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe
2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe
2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe
2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe
2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe
2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe
2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe
2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe
2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe
2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe
2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe
2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe
2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe
2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe
2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe
2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe
2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe
2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe
2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe
2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe
2420	powershell.exe
2416	powershell.exe
2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe
2264	powershell.exe
3028	powershell.exe
2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe
2636	powershell.exe
2004	powershell.exe
1764	powershell.exe
2916	powershell.exe
3004	powershell.exe
1988	powershell.exe
2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe
1972	powershell.exe
2968	powershell.exe
2312	System.exe
2312	System.exe
2312	System.exe
2312	System.exe
2312	System.exe
2312	System.exe
2312	System.exe
2312	System.exe
2312	System.exe
2312	System.exe
2312	System.exe
2312	System.exe
2312	System.exe
2312	System.exe
2312	System.exe
2312	System.exe
2312	System.exe
2312	System.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	2312	System.exe
Token: SeDebugPrivilege	2776	System.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exeSystem.exeWScript.exe

description	pid	process	target process
PID 2200 wrote to memory of 1972	2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe	powershell.exe
PID 2200 wrote to memory of 1972	2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe	powershell.exe
PID 2200 wrote to memory of 1972	2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe	powershell.exe
PID 2200 wrote to memory of 2004	2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe	powershell.exe
PID 2200 wrote to memory of 2004	2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe	powershell.exe
PID 2200 wrote to memory of 2004	2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe	powershell.exe
PID 2200 wrote to memory of 1988	2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe	powershell.exe
PID 2200 wrote to memory of 1988	2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe	powershell.exe
PID 2200 wrote to memory of 1988	2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe	powershell.exe
PID 2200 wrote to memory of 1764	2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe	powershell.exe
PID 2200 wrote to memory of 1764	2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe	powershell.exe
PID 2200 wrote to memory of 1764	2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe	powershell.exe
PID 2200 wrote to memory of 2916	2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe	powershell.exe
PID 2200 wrote to memory of 2916	2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe	powershell.exe
PID 2200 wrote to memory of 2916	2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe	powershell.exe
PID 2200 wrote to memory of 2968	2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe	powershell.exe
PID 2200 wrote to memory of 2968	2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe	powershell.exe
PID 2200 wrote to memory of 2968	2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe	powershell.exe
PID 2200 wrote to memory of 3028	2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe	powershell.exe
PID 2200 wrote to memory of 3028	2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe	powershell.exe
PID 2200 wrote to memory of 3028	2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe	powershell.exe
PID 2200 wrote to memory of 3004	2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe	powershell.exe
PID 2200 wrote to memory of 3004	2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe	powershell.exe
PID 2200 wrote to memory of 3004	2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe	powershell.exe
PID 2200 wrote to memory of 2636	2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe	powershell.exe
PID 2200 wrote to memory of 2636	2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe	powershell.exe
PID 2200 wrote to memory of 2636	2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe	powershell.exe
PID 2200 wrote to memory of 2416	2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe	powershell.exe
PID 2200 wrote to memory of 2416	2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe	powershell.exe
PID 2200 wrote to memory of 2416	2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe	powershell.exe
PID 2200 wrote to memory of 2420	2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe	powershell.exe
PID 2200 wrote to memory of 2420	2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe	powershell.exe
PID 2200 wrote to memory of 2420	2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe	powershell.exe
PID 2200 wrote to memory of 2264	2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe	powershell.exe
PID 2200 wrote to memory of 2264	2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe	powershell.exe
PID 2200 wrote to memory of 2264	2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe	powershell.exe
PID 2200 wrote to memory of 2312	2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe	System.exe
PID 2200 wrote to memory of 2312	2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe	System.exe
PID 2200 wrote to memory of 2312	2200	0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe	System.exe
PID 2312 wrote to memory of 2728	2312	System.exe	WScript.exe
PID 2312 wrote to memory of 2728	2312	System.exe	WScript.exe
PID 2312 wrote to memory of 2728	2312	System.exe	WScript.exe
PID 2312 wrote to memory of 2044	2312	System.exe	WScript.exe
PID 2312 wrote to memory of 2044	2312	System.exe	WScript.exe
PID 2312 wrote to memory of 2044	2312	System.exe	WScript.exe
PID 2728 wrote to memory of 2776	2728	WScript.exe	System.exe
PID 2728 wrote to memory of 2776	2728	WScript.exe	System.exe
PID 2728 wrote to memory of 2776	2728	WScript.exe	System.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe
"C:\Users\Admin\AppData\Local\Temp\0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe"
1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2264
- C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe
  "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7bed7502-7b95-44b6-9a68-1a91841fd58e.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe
      "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2776
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eead201f-b525-460c-bf29-68a58247bcac.vbs"
    3⤵
    PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e470" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\Sample Music\0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e470" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Music\Sample Music\0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe

Filesize
1.7MB

MD5
69bb335d9d60e6399c45414909b3d9e2

SHA1
a9df4481f968c986a1fa1570fb021b79ac0cfb07

SHA256
0dafb94f1ca5cf35a60952376c44e08efe7c71ad12988fcb5026e75b39e15e47

SHA512
af3f6c93bf09e27f3de0b13a724a1580f98579cc381507021fccd6686eb8f3f74dc845efb5bea00da94dd41cabb66e83c368befc0219724c2430044129a2660e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7bed7502-7b95-44b6-9a68-1a91841fd58e.vbs

Filesize
749B

MD5
0bb4cade94c782b4b10dbe86dc12f9f1

SHA1
734c2a1a78f8a00a641ab38ff8fe5c08637f17f6

SHA256
376da11142623dd124bfd934cdfeb22e4ee63a64d5f62b6ebc18bbef9fc8d87a

SHA512
d4216c1784146f2fc821281b67d4ff0fda2a018fe620b6cc2d6b43923c773a4f37b614e366dda8c04104b3c728629899ff31ad515619878a59d4296c8335495b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCXE9C4.tmp

Filesize
1.7MB

MD5
6025a571157fca934b0a10a53c112bd0

SHA1
e6abd828d62fe816a316ba2c3ff4ae8b2033be33

SHA256
8e9ebe22d1b2b3c07bee3524ec09d4d657134d78ad27491397b6d73d83b1e3f8

SHA512
aa527ab4bda8490db528ccad1511fc8412988f65b2c9cd63de72430c803050beb9c0bf5438e0c58e0344daf65775f4cc7269a547b2aee303bd0cb57ee7169840

Download Submit
C:\Users\Admin\AppData\Local\Temp\eead201f-b525-460c-bf29-68a58247bcac.vbs

Filesize
525B

MD5
9265c11281cbde298bc53a1082bc73fc

SHA1
bbe0f8a928e82a5bd6696f7dc5ef4dd757d3f72d

SHA256
6f5a6966931c117713d6a7cde1a9016d31129a557e09b3e8045dfb7aad24d9c8

SHA512
f9821df7b12dd520a262e03c6870c72d8527c20fdc22670fc7052f8c3fde83d9bd0b69c90c39bbb1bb22b4992a5f6823ac67a0b95d892f4ad1213752df75d64d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d90132165e8fbce21ddd27f02fa8fd43

SHA1
3b7a9e9b422727da599d08a47995bb02d795a5b2

SHA256
53e6e9e3cac36928051d534b98ac884a70ae798b235d1230874aae90396e6811

SHA512
12f6b7f9be4fcd4c68c016b34b72411168c310bd2bb583f698df0de9064c071f7c17a2a51c0f34ad5740f3880b00da4916461adb3d30a5af5562f1fba23405d3

Download Submit
C:\Users\Default\lsm.exe

Filesize
1.7MB

MD5
645412164437ef3d3f3d01460bd5b7ea

SHA1
01bc7addbafbd9b406ce304bdda1621a1dcb6491

SHA256
50a72a8aa2d6d97684cebd6ab99c547c97ea3efda06d3bd21856f81bed6b23f0

SHA512
b836b1dfca81de117eeb7b813320e81edb8b2e88db8e2d1c4dabc7700ed8d72b6ec7a88a89881f3489ff41c8099ee389545dc34aa9b33ab4e1551d9fe7c6fd49

Download Submit
memory/2200-17-0x00000000021B0000-0x00000000021BC000-memory.dmp

Filesize
48KB

Download
memory/2200-26-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/2200-8-0x0000000000760000-0x0000000000770000-memory.dmp

Filesize
64KB

Download
memory/2200-9-0x0000000000750000-0x000000000075C000-memory.dmp

Filesize
48KB

Download
memory/2200-10-0x0000000002050000-0x0000000002058000-memory.dmp

Filesize
32KB

Download
memory/2200-12-0x00000000020E0000-0x00000000020EC000-memory.dmp

Filesize
48KB

Download
memory/2200-13-0x00000000020F0000-0x00000000020FC000-memory.dmp

Filesize
48KB

Download
memory/2200-14-0x0000000002100000-0x000000000210A000-memory.dmp

Filesize
40KB

Download
memory/2200-15-0x0000000002190000-0x0000000002198000-memory.dmp

Filesize
32KB

Download
memory/2200-16-0x00000000021A0000-0x00000000021AC000-memory.dmp

Filesize
48KB

Download
memory/2200-0-0x000007FEF5DD3000-0x000007FEF5DD4000-memory.dmp

Filesize
4KB

Download
memory/2200-20-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/2200-21-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/2200-7-0x0000000000290000-0x00000000002A2000-memory.dmp

Filesize
72KB

Download
memory/2200-6-0x0000000000520000-0x0000000000536000-memory.dmp

Filesize
88KB

Download
memory/2200-5-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/2200-4-0x0000000000260000-0x0000000000268000-memory.dmp

Filesize
32KB

Download
memory/2200-1-0x0000000000910000-0x0000000000AC6000-memory.dmp

Filesize
1.7MB

Download
memory/2200-2-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/2200-150-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/2200-134-0x000007FEF5DD3000-0x000007FEF5DD4000-memory.dmp

Filesize
4KB

Download
memory/2200-3-0x0000000000240000-0x000000000025C000-memory.dmp

Filesize
112KB

Download
memory/2312-149-0x0000000000C40000-0x0000000000DF6000-memory.dmp

Filesize
1.7MB

Download
memory/2312-151-0x00000000006D0000-0x00000000006E2000-memory.dmp

Filesize
72KB

Download
memory/2416-92-0x000000001B360000-0x000000001B642000-memory.dmp

Filesize
2.9MB

Download
memory/2420-98-0x0000000002040000-0x0000000002048000-memory.dmp

Filesize
32KB

Download
memory/2776-162-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download