dcrat | 8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969

Analysis

max time kernel
22s
max time network
22s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-11-2024 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe
Size

1.7MB
MD5

4a5c7c2dbe4a21ac2ba7fbe0f6d95b00
SHA1

9afae33f6d4d8c5f8ec826c9cb344e72b26095fc
SHA256

8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969
SHA512

3ed0b9cf6b6794d35ccb688a808f14ccf1c4b52b0464f80595b86d0eb347268ccffc05dfbcfe2c2103afeff8ef31045cb9e88edeba0436ad6294f97514fca8c6
SSDEEP

24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:NgwuuEpdDLNwVMeXDL0fdSzAG

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2604	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2604	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2604	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2604	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2604	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2604	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2604	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2604	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2604	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2604	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2604	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2604	schtasks.exe	30

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2892-1-0x0000000000CF0000-0x0000000000EA6000-memory.dmp	dcrat
behavioral1/files/0x00070000000164de-30.dat	dcrat
behavioral1/files/0x000c000000016c89-74.dat	dcrat
behavioral1/memory/2076-149-0x0000000000240000-0x00000000003F6000-memory.dmp	dcrat
behavioral1/memory/760-160-0x00000000011D0000-0x0000000001386000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
888	powershell.exe
604	powershell.exe
1160	powershell.exe
2952	powershell.exe
1496	powershell.exe
1488	powershell.exe
1156	powershell.exe
1756	powershell.exe
1356	powershell.exe
944	powershell.exe
1644	powershell.exe
1952	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe

Executes dropped EXE 2 IoCs

pid	Process
2076	spoolsv.exe
760	spoolsv.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\dwm.exe	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe
File created	C:\Program Files\Google\6cb0b6c459d5d3	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe
File created	C:\Program Files (x86)\Windows Portable Devices\f3b6ecef712a24	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe
File opened for modification	C:\Program Files\Google\RCX8114.tmp	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX831A.tmp	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe
File created	C:\Program Files\Google\dwm.exe	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe
File opened for modification	C:\Program Files\Google\RCX8115.tmp	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX8319.tmp	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe
File created	C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LiveKernelReports\RCX851D.tmp	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe
File opened for modification	C:\Windows\LiveKernelReports\RCX851E.tmp	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe
File opened for modification	C:\Windows\LiveKernelReports\audiodg.exe	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe
File created	C:\Windows\schemas\EAPHost\sppsvc.exe	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe
File created	C:\Windows\LiveKernelReports\audiodg.exe	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe
File created	C:\Windows\LiveKernelReports\42af1c969fbb7b	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2488	schtasks.exe
2576	schtasks.exe
2644	schtasks.exe
2196	schtasks.exe
2388	schtasks.exe
2668	schtasks.exe
1844	schtasks.exe
1968	schtasks.exe
2124	schtasks.exe
2716	schtasks.exe
2748	schtasks.exe
320	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe
2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe
2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe
2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe
2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe
2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe
2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe
2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe
2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe
2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe
2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe
2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe
2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe
2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe
2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe
2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe
2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe
1644	powershell.exe
1952	powershell.exe
1756	powershell.exe
2952	powershell.exe
1496	powershell.exe
1160	powershell.exe
604	powershell.exe
1356	powershell.exe
888	powershell.exe
944	powershell.exe
1488	powershell.exe
1156	powershell.exe
2076	spoolsv.exe
2076	spoolsv.exe
2076	spoolsv.exe
2076	spoolsv.exe
2076	spoolsv.exe
2076	spoolsv.exe
2076	spoolsv.exe
2076	spoolsv.exe
2076	spoolsv.exe
2076	spoolsv.exe
2076	spoolsv.exe
2076	spoolsv.exe
2076	spoolsv.exe
2076	spoolsv.exe
2076	spoolsv.exe
2076	spoolsv.exe
2076	spoolsv.exe
2076	spoolsv.exe
2076	spoolsv.exe
2076	spoolsv.exe
2076	spoolsv.exe
2076	spoolsv.exe
2076	spoolsv.exe
2076	spoolsv.exe
2076	spoolsv.exe
2076	spoolsv.exe
2076	spoolsv.exe
2076	spoolsv.exe
2076	spoolsv.exe
2076	spoolsv.exe
2076	spoolsv.exe
2076	spoolsv.exe
2076	spoolsv.exe
2076	spoolsv.exe
2076	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	604	powershell.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	2076	spoolsv.exe
Token: SeDebugPrivilege	760	spoolsv.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 1756	2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe	43
PID 2892 wrote to memory of 1756	2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe	43
PID 2892 wrote to memory of 1756	2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe	43
PID 2892 wrote to memory of 1952	2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe	44
PID 2892 wrote to memory of 1952	2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe	44
PID 2892 wrote to memory of 1952	2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe	44
PID 2892 wrote to memory of 1644	2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe	46
PID 2892 wrote to memory of 1644	2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe	46
PID 2892 wrote to memory of 1644	2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe	46
PID 2892 wrote to memory of 888	2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe	47
PID 2892 wrote to memory of 888	2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe	47
PID 2892 wrote to memory of 888	2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe	47
PID 2892 wrote to memory of 1156	2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe	49
PID 2892 wrote to memory of 1156	2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe	49
PID 2892 wrote to memory of 1156	2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe	49
PID 2892 wrote to memory of 1488	2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe	51
PID 2892 wrote to memory of 1488	2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe	51
PID 2892 wrote to memory of 1488	2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe	51
PID 2892 wrote to memory of 1496	2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe	52
PID 2892 wrote to memory of 1496	2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe	52
PID 2892 wrote to memory of 1496	2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe	52
PID 2892 wrote to memory of 944	2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe	53
PID 2892 wrote to memory of 944	2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe	53
PID 2892 wrote to memory of 944	2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe	53
PID 2892 wrote to memory of 2952	2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe	54
PID 2892 wrote to memory of 2952	2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe	54
PID 2892 wrote to memory of 2952	2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe	54
PID 2892 wrote to memory of 1160	2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe	55
PID 2892 wrote to memory of 1160	2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe	55
PID 2892 wrote to memory of 1160	2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe	55
PID 2892 wrote to memory of 604	2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe	56
PID 2892 wrote to memory of 604	2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe	56
PID 2892 wrote to memory of 604	2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe	56
PID 2892 wrote to memory of 1356	2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe	57
PID 2892 wrote to memory of 1356	2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe	57
PID 2892 wrote to memory of 1356	2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe	57
PID 2892 wrote to memory of 1292	2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe	67
PID 2892 wrote to memory of 1292	2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe	67
PID 2892 wrote to memory of 1292	2892	8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe	67
PID 1292 wrote to memory of 1376	1292	cmd.exe	69
PID 1292 wrote to memory of 1376	1292	cmd.exe	69
PID 1292 wrote to memory of 1376	1292	cmd.exe	69
PID 1292 wrote to memory of 2076	1292	cmd.exe	70
PID 1292 wrote to memory of 2076	1292	cmd.exe	70
PID 1292 wrote to memory of 2076	1292	cmd.exe	70
PID 2076 wrote to memory of 2848	2076	spoolsv.exe	71
PID 2076 wrote to memory of 2848	2076	spoolsv.exe	71
PID 2076 wrote to memory of 2848	2076	spoolsv.exe	71
PID 2076 wrote to memory of 2912	2076	spoolsv.exe	72
PID 2076 wrote to memory of 2912	2076	spoolsv.exe	72
PID 2076 wrote to memory of 2912	2076	spoolsv.exe	72
PID 2848 wrote to memory of 760	2848	WScript.exe	74
PID 2848 wrote to memory of 760	2848	WScript.exe	74
PID 2848 wrote to memory of 760	2848	WScript.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe
"C:\Users\Admin\AppData\Local\Temp\8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969N.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1356
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lxmifgtkQ1.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1376
- - C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe
    "C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2076
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47f077f5-c093-4271-b19e-e1e016730f1c.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:760
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a346683d-bfb4-4339-9c93-be0beec481df.vbs"
      4⤵
      PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Google\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Windows\LiveKernelReports\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Windows\LiveKernelReports\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\Sample Pictures\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Pictures\Sample Pictures\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\47f077f5-c093-4271-b19e-e1e016730f1c.vbs

Filesize
735B

MD5
2c1ba30cd9fc2cef0cddbe37aa3b98e6

SHA1
a443b1e594b80926d6fbeb4e5eda9d8c9556a7fd

SHA256
a5c64877a52fdd6fe87313bfde95d729061b4d4f525ee2a0401e108b39f4327d

SHA512
b2e24dc54f317f64a56cd88b38277044bb6e691698c124e801f88c291a27e53c45e1f1b542a527404d353d04f0b9ff21889e8acbc4528e7ba77d7ac5a163e842

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCX7F10.tmp

Filesize
1.7MB

MD5
4a5c7c2dbe4a21ac2ba7fbe0f6d95b00

SHA1
9afae33f6d4d8c5f8ec826c9cb344e72b26095fc

SHA256
8a2b6f9995b027c6c3e8c3831dff97c05e10d5c5289f34c567841f13e8bb0969

SHA512
3ed0b9cf6b6794d35ccb688a808f14ccf1c4b52b0464f80595b86d0eb347268ccffc05dfbcfe2c2103afeff8ef31045cb9e88edeba0436ad6294f97514fca8c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a346683d-bfb4-4339-9c93-be0beec481df.vbs

Filesize
511B

MD5
331668db9606b3bdada0a26001e626be

SHA1
73a6fce922bf3d11fe8bf283b560c0572dc68ee7

SHA256
352126fc43005442b89e09274ab2b0336120fd6ad1b3185e0cf67d0e55e4b893

SHA512
ed704cdf36d370bbb00c9f4502360d56f4d4abcde431a31fcde6cd2ab55f999584f249e3e032cafcf9c51b39e39907a24a7a785b0c8424432e97bdbc2aad9f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\lxmifgtkQ1.bat

Filesize
224B

MD5
d635207bfe97ee063178124dc8fa1f29

SHA1
2d2db7f85401b1399a00d262aac8b9e461c8fe27

SHA256
a806d6f81dc8b2db7fdada6024b2b8ea6e21e1e2e3345c676ae7e5d5260d80f4

SHA512
9f6e5ade7839dc165ee54427e6858d9b996b2488476d7ab3362e71c87d19a850e7908a2506e17e7dc624734dd52b26df9c223df4ca7137a250a02c05e072f0ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\I4U1N61SUBKC0HUBZ46A.temp

Filesize
7KB

MD5
b23bbe64e181a49f90e37bd839e3ab6e

SHA1
b5b6fa2ec0d8cc14d4ebe4c4cff378d5e9e9f04e

SHA256
e7238a9d34dca69e738c24405aa5f3c50429e072fcae962ae719afefcec8a605

SHA512
d72cfaa896eb02d7319ba4588b6e3b6602db26eb1be1880c3f58acb4be616ca86e386469958339400c9f940bba74518cc9f40ae262c4a2ea8a046d61ce5c5c65

Download Submit
C:\Users\Public\Pictures\Sample Pictures\System.exe

Filesize
1.7MB

MD5
7b1a512073ece765b4a3209133efe013

SHA1
c7aafdb64fa5b991aa2d21787f07180b78d5a654

SHA256
aee5bf958124b3848df42ad0e00eb3fc9d2eec119c56d9afd3a3fd40f6c5a9f1

SHA512
df218273cba3f5150b4473a090dbc3224d2dc30a64a930c7b90341f8036972e30d279524511f3ed17febfc43065780d36a788ba4a21d60e15d2ed9d581be4f85

Download Submit
memory/760-160-0x00000000011D0000-0x0000000001386000-memory.dmp

Filesize
1.7MB

Download
memory/1644-94-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/1644-93-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

Filesize
2.9MB

Download
memory/2076-149-0x0000000000240000-0x00000000003F6000-memory.dmp

Filesize
1.7MB

Download
memory/2892-7-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

Filesize
72KB

Download
memory/2892-9-0x0000000000AE0000-0x0000000000AEC000-memory.dmp

Filesize
48KB

Download
memory/2892-13-0x0000000000B20000-0x0000000000B2C000-memory.dmp

Filesize
48KB

Download
memory/2892-16-0x0000000000C50000-0x0000000000C5C000-memory.dmp

Filesize
48KB

Download
memory/2892-15-0x0000000000BC0000-0x0000000000BC8000-memory.dmp

Filesize
32KB

Download
memory/2892-14-0x0000000000BB0000-0x0000000000BBA000-memory.dmp

Filesize
40KB

Download
memory/2892-17-0x0000000000C60000-0x0000000000C6C000-memory.dmp

Filesize
48KB

Download
memory/2892-18-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

Filesize
9.9MB

Download
memory/2892-10-0x0000000000B00000-0x0000000000B08000-memory.dmp

Filesize
32KB

Download
memory/2892-12-0x0000000000B10000-0x0000000000B1C000-memory.dmp

Filesize
48KB

Download
memory/2892-8-0x0000000000AF0000-0x0000000000B00000-memory.dmp

Filesize
64KB

Download
memory/2892-0-0x000007FEF59E3000-0x000007FEF59E4000-memory.dmp

Filesize
4KB

Download
memory/2892-6-0x0000000000510000-0x0000000000526000-memory.dmp

Filesize
88KB

Download
memory/2892-100-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

Filesize
9.9MB

Download
memory/2892-5-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/2892-4-0x00000000003C0000-0x00000000003C8000-memory.dmp

Filesize
32KB

Download
memory/2892-3-0x0000000000470000-0x000000000048C000-memory.dmp

Filesize
112KB

Download
memory/2892-2-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

Filesize
9.9MB

Download
memory/2892-1-0x0000000000CF0000-0x0000000000EA6000-memory.dmp

Filesize
1.7MB

Download