dcrat | dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-12-2024 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
Size

1.7MB
MD5

90f12351f5b3d8a454e577a700d050e7
SHA1

54cd67455b129f4de02a08d46e7d3c6526136afa
SHA256

dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54
SHA512

5a550068b7466e263048f86950da97bfcdb76580f556b3a9187957926a6535ebb3684ad7c1b276c06fdf337b0fd9676f8d39618562e15bf8814e756ff8e8ae44
SSDEEP

24576:t3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:tgwuuEpdDLNwVMeXDL0fdSzAG

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2312	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2312	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2312	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2312	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2312	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2312	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2312	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2312	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	2312	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2312	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	2312	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2312	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2312	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2312	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2312	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2312	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2312	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2312	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2312	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2312	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2312	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2312	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2312	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2312	schtasks.exe	30

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/3032-1-0x00000000011A0000-0x0000000001356000-memory.dmp	dcrat
behavioral1/files/0x00050000000191f3-27.dat	dcrat
behavioral1/files/0x0006000000019389-48.dat	dcrat
behavioral1/files/0x000d000000012117-92.dat	dcrat
behavioral1/memory/2108-201-0x0000000000ED0000-0x0000000001086000-memory.dmp	dcrat
behavioral1/memory/392-214-0x0000000000EF0000-0x00000000010A6000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1648	powershell.exe
1728	powershell.exe
572	powershell.exe
1856	powershell.exe
2124	powershell.exe
1780	powershell.exe
1468	powershell.exe
1688	powershell.exe
3012	powershell.exe
1644	powershell.exe
1148	powershell.exe
840	powershell.exe

Drops file in Drivers directory 1 IoCs

Processes:

dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe

Executes dropped EXE 2 IoCs

Processes:

lsm.exelsm.exe

pid	Process
2108	lsm.exe
392	lsm.exe

Drops file in Program Files directory 15 IoCs

Processes:

dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\cc11b995f2a76d	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\winlogon.exe	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX6323.tmp	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\lsm.exe	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
File created	C:\Program Files (x86)\Windows Portable Devices\b75386f1303e64	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\101b941d020240	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\RCX5EAC.tmp	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\RCX5EAD.tmp	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\RCX6527.tmp	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
File created	C:\Program Files (x86)\Windows Portable Devices\taskhost.exe	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\winlogon.exe	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\lsm.exe	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX6324.tmp	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\taskhost.exe	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\RCX6528.tmp	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe

Drops file in Windows directory 6 IoCs

Processes:

dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe

description	ioc	Process
File created	C:\Windows\diagnostics\index\smss.exe	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
File created	C:\Windows\Speech\Engines\Lexicon\WmiPrvSE.exe	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
File created	C:\Windows\Speech\Engines\Lexicon\24dbde2999530e	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
File opened for modification	C:\Windows\Speech\Engines\Lexicon\RCX672C.tmp	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
File opened for modification	C:\Windows\Speech\Engines\Lexicon\RCX672D.tmp	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
File opened for modification	C:\Windows\Speech\Engines\Lexicon\WmiPrvSE.exe	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
3040	schtasks.exe
2136	schtasks.exe
2512	schtasks.exe
2624	schtasks.exe
2772	schtasks.exe
1556	schtasks.exe
2592	schtasks.exe
3044	schtasks.exe
404	schtasks.exe
1176	schtasks.exe
2256	schtasks.exe
1824	schtasks.exe
2132	schtasks.exe
2628	schtasks.exe
2552	schtasks.exe
2528	schtasks.exe
2712	schtasks.exe
2704	schtasks.exe
2572	schtasks.exe
2460	schtasks.exe
2616	schtasks.exe
2924	schtasks.exe
1604	schtasks.exe
2332	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exelsm.exe

pid	Process
3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
1648	powershell.exe
1644	powershell.exe
1728	powershell.exe
3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
840	powershell.exe
3012	powershell.exe
1148	powershell.exe
1688	powershell.exe
1780	powershell.exe
572	powershell.exe
1468	powershell.exe
1856	powershell.exe
3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
2124	powershell.exe
3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
2108	lsm.exe
2108	lsm.exe
2108	lsm.exe
2108	lsm.exe
2108	lsm.exe
2108	lsm.exe
2108	lsm.exe
2108	lsm.exe
2108	lsm.exe
2108	lsm.exe
2108	lsm.exe
2108	lsm.exe
2108	lsm.exe
2108	lsm.exe
2108	lsm.exe
2108	lsm.exe
2108	lsm.exe
2108	lsm.exe
2108	lsm.exe
2108	lsm.exe
2108	lsm.exe
2108	lsm.exe
2108	lsm.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	572	powershell.exe
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	2108	lsm.exe
Token: SeDebugPrivilege	392	lsm.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exelsm.exeWScript.exe

description	pid	Process	procid_target
PID 3032 wrote to memory of 1648	3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe	55
PID 3032 wrote to memory of 1648	3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe	55
PID 3032 wrote to memory of 1648	3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe	55
PID 3032 wrote to memory of 1468	3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe	56
PID 3032 wrote to memory of 1468	3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe	56
PID 3032 wrote to memory of 1468	3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe	56
PID 3032 wrote to memory of 1688	3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe	57
PID 3032 wrote to memory of 1688	3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe	57
PID 3032 wrote to memory of 1688	3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe	57
PID 3032 wrote to memory of 3012	3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe	58
PID 3032 wrote to memory of 3012	3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe	58
PID 3032 wrote to memory of 3012	3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe	58
PID 3032 wrote to memory of 1644	3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe	59
PID 3032 wrote to memory of 1644	3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe	59
PID 3032 wrote to memory of 1644	3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe	59
PID 3032 wrote to memory of 1148	3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe	60
PID 3032 wrote to memory of 1148	3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe	60
PID 3032 wrote to memory of 1148	3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe	60
PID 3032 wrote to memory of 1856	3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe	61
PID 3032 wrote to memory of 1856	3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe	61
PID 3032 wrote to memory of 1856	3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe	61
PID 3032 wrote to memory of 2124	3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe	62
PID 3032 wrote to memory of 2124	3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe	62
PID 3032 wrote to memory of 2124	3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe	62
PID 3032 wrote to memory of 1728	3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe	63
PID 3032 wrote to memory of 1728	3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe	63
PID 3032 wrote to memory of 1728	3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe	63
PID 3032 wrote to memory of 1780	3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe	64
PID 3032 wrote to memory of 1780	3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe	64
PID 3032 wrote to memory of 1780	3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe	64
PID 3032 wrote to memory of 840	3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe	65
PID 3032 wrote to memory of 840	3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe	65
PID 3032 wrote to memory of 840	3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe	65
PID 3032 wrote to memory of 572	3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe	66
PID 3032 wrote to memory of 572	3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe	66
PID 3032 wrote to memory of 572	3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe	66
PID 3032 wrote to memory of 2108	3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe	79
PID 3032 wrote to memory of 2108	3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe	79
PID 3032 wrote to memory of 2108	3032	dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe	79
PID 2108 wrote to memory of 2216	2108	lsm.exe	80
PID 2108 wrote to memory of 2216	2108	lsm.exe	80
PID 2108 wrote to memory of 2216	2108	lsm.exe	80
PID 2108 wrote to memory of 2120	2108	lsm.exe	81
PID 2108 wrote to memory of 2120	2108	lsm.exe	81
PID 2108 wrote to memory of 2120	2108	lsm.exe	81
PID 2216 wrote to memory of 392	2216	WScript.exe	82
PID 2216 wrote to memory of 392	2216	WScript.exe	82
PID 2216 wrote to memory of 392	2216	WScript.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe
"C:\Users\Admin\AppData\Local\Temp\dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:572
- C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsm.exe
  "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fa51929-f410-4a45-abd7-78d3475afbee.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsm.exe
      C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsm.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:392
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac4a796e-9b4e-42ce-836b-589b039a8565.vbs"
    3⤵
    PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Templates\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Templates\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Templates\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\Speech\Engines\Lexicon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Speech\Engines\Lexicon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\Speech\Engines\Lexicon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Templates\lsm.exe

Filesize
1.7MB

MD5
90f12351f5b3d8a454e577a700d050e7

SHA1
54cd67455b129f4de02a08d46e7d3c6526136afa

SHA256
dbd701c84a986548500e83ef3f7ad3ae832aa20660dcf2a3b10ba81263830f54

SHA512
5a550068b7466e263048f86950da97bfcdb76580f556b3a9187957926a6535ebb3684ad7c1b276c06fdf337b0fd9676f8d39618562e15bf8814e756ff8e8ae44

Download Submit
C:\ProgramData\Microsoft\Windows\Templates\lsm.exe

Filesize
1.7MB

MD5
eec575e1ee8eb62de72d2cfb3a3493c4

SHA1
b7c304523d2bb0e3f75d92d9b20f7a2c5600f790

SHA256
0b697cb8c4e868dc8a718f83ab5d8310879f9a7c06e2d5d70f68f9689fb4bfb3

SHA512
94580e3d737fce0df8f08709cce5456ab2df9fa99c6fcba8179204aa7e4ddd137fe9eb6745e1c47c9c05f87862913252852587bf2fa9ddfb43bf2637d5c25f43

Download Submit
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsm.exe

Filesize
1.7MB

MD5
98bfddbce7753a96ea16b7b0a294b815

SHA1
f08fefe343cf1a0c433929da48ee5844132d56be

SHA256
d2b1dd95c551c59639455d7ebf28a7028aaeb7d3660ea1c0d0c95131fd79d505

SHA512
aa424b99148a33d698436ee8a9290a18f32944d69929d1d49f9c061f6cf561ddbf6edc4aac7f3768d58269516089181fc1b46061a5f746b96ef44b02768e8c72

Download Submit
C:\Users\Admin\AppData\Local\Temp\3fa51929-f410-4a45-abd7-78d3475afbee.vbs

Filesize
732B

MD5
c52c789cd691e81af1e83f40a321c75e

SHA1
590f1b90b15af544cf37626e403d60f04fef97aa

SHA256
8e35bbc79b1ef64fba75e911b00d8612e9e352a68a879e67d51b2f58710e51c9

SHA512
5a6db2f89558eb859e44cefcb39b5a240d368f6af793a13786e14eeade2f90af023f7168e69a80044f09e93b616bf45ce9340e2fd52eb8f5892d5e86fa7876da

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac4a796e-9b4e-42ce-836b-589b039a8565.vbs

Filesize
508B

MD5
b41db8dfd22c1503ccfb60a80cd67472

SHA1
5b619072545cd36dd72e069ffbb82a09c27aa639

SHA256
ad6b3fbd5e4464104e348a73bebfac6b3d5cef9b56165dbb6cddcf1e7672ba47

SHA512
db865a1fde5d17cc3601ad595b0e3fbcbd4a405835fd41181b356ac3450e9b4efe4ea30832ad1e842313a0c15b3ff97b1b04d1383d41f6cf17fd882062fa52c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8b67f21c7e874555869292cf794411a3

SHA1
9d14c3be392baf93c0d3fd808494e782cd792369

SHA256
018434080f40e0ee9dfbac300d0f4e349ffeb3d44a5e03f3dd8a1e66b284c8da

SHA512
b0588281b6748dd3e7f060cf9273f2368cd4a14cf6343190b6f0891938de02afd0aff5cc63dc9c15c1d09f0ae918aa492d2f0a7e70ed9aebed81a3ccc5fb06e8

Download Submit
memory/392-214-0x0000000000EF0000-0x00000000010A6000-memory.dmp

Filesize
1.7MB

Download
memory/1648-138-0x000000001B7E0000-0x000000001BAC2000-memory.dmp

Filesize
2.9MB

Download
memory/1648-141-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2108-203-0x0000000000A40000-0x0000000000A52000-memory.dmp

Filesize
72KB

Download
memory/2108-201-0x0000000000ED0000-0x0000000001086000-memory.dmp

Filesize
1.7MB

Download
memory/3032-7-0x0000000000490000-0x00000000004A2000-memory.dmp

Filesize
72KB

Download
memory/3032-9-0x0000000000AE0000-0x0000000000AEC000-memory.dmp

Filesize
48KB

Download
memory/3032-14-0x0000000000CC0000-0x0000000000CCA000-memory.dmp

Filesize
40KB

Download
memory/3032-16-0x000000001A840000-0x000000001A84C000-memory.dmp

Filesize
48KB

Download
memory/3032-15-0x0000000001190000-0x0000000001198000-memory.dmp

Filesize
32KB

Download
memory/3032-17-0x000000001A850000-0x000000001A85C000-memory.dmp

Filesize
48KB

Download
memory/3032-20-0x000007FEF6470000-0x000007FEF6E5C000-memory.dmp

Filesize
9.9MB

Download
memory/3032-12-0x0000000000CA0000-0x0000000000CAC000-memory.dmp

Filesize
48KB

Download
memory/3032-10-0x0000000000B00000-0x0000000000B08000-memory.dmp

Filesize
32KB

Download
memory/3032-13-0x0000000000CB0000-0x0000000000CBC000-memory.dmp

Filesize
48KB

Download
memory/3032-8-0x0000000000AF0000-0x0000000000B00000-memory.dmp

Filesize
64KB

Download
memory/3032-0-0x000007FEF6473000-0x000007FEF6474000-memory.dmp

Filesize
4KB

Download
memory/3032-6-0x0000000000620000-0x0000000000636000-memory.dmp

Filesize
88KB

Download
memory/3032-4-0x00000000003C0000-0x00000000003C8000-memory.dmp

Filesize
32KB

Download
memory/3032-202-0x000007FEF6470000-0x000007FEF6E5C000-memory.dmp

Filesize
9.9MB

Download
memory/3032-5-0x0000000000470000-0x0000000000480000-memory.dmp

Filesize
64KB

Download
memory/3032-3-0x0000000000450000-0x000000000046C000-memory.dmp

Filesize
112KB

Download
memory/3032-2-0x000007FEF6470000-0x000007FEF6E5C000-memory.dmp

Filesize
9.9MB

Download
memory/3032-1-0x00000000011A0000-0x0000000001356000-memory.dmp

Filesize
1.7MB

Download