dcrat | 7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2024 13:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
Size

1.8MB
MD5

4f964ada28fa2dde5c75d3c3682e69c4
SHA1

481a0ddc3dfd39147abf684b60b6a0b1dfbbc341
SHA256

7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945
SHA512

ab07c9602776dc062599a89eed9d38be2c95f563a9ed9c906e6c1066f80e5666f119c5a790a120bf626a73edd3cc178924262d41c0f65eb20fcf3b542a83dc68
SSDEEP

24576:cWrCg/r+6/5OZr1A+KnhQaPNcHxIpjgqJ6t1:XrC7G5g0gq

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\updater.exe\""	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	4112	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	4112	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4056	4112	schtasks.exe	83

DCRat payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1280-1-0x00000000004D0000-0x000000000069A000-memory.dmp	family_dcrat_v2
behavioral2/files/0x0014000000023c91-57.dat	family_dcrat_v2

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exeupdater.exeupdater.exeupdater.exeupdater.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	updater.exe

Executes dropped EXE 5 IoCs

Processes:

updater.exeupdater.exeupdater.exeupdater.exeupdater.exe

pid	Process
404	updater.exe
3280	updater.exe
4776	updater.exe
4380	updater.exe
4456	updater.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updater = "\"C:\\Users\\Admin\\AppData\\Local\\updater.exe\""	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updater = "\"C:\\Users\\Admin\\AppData\\Local\\updater.exe\""	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	Process
File created	\??\c:\Windows\System32\CSC77ED58047E7A48B2B821ADD92492A66F.TMP	csc.exe
File created	\??\c:\Windows\System32\hnaorh.exe	csc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEPING.EXEPING.EXE

pid	Process
4520	PING.EXE
2212	PING.EXE
404	PING.EXE

Modifies registry class 5 IoCs

Processes:

7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exeupdater.exeupdater.exeupdater.exeupdater.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	updater.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	updater.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	updater.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	updater.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid	Process
404	PING.EXE
4520	PING.EXE
2212	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid	Process
224	schtasks.exe
1976	schtasks.exe
4056	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe

pid	Process
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exe

description	pid	Process
Token: SeDebugPrivilege	1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
Token: SeDebugPrivilege	404	updater.exe
Token: SeDebugPrivilege	3280	updater.exe
Token: SeDebugPrivilege	4776	updater.exe
Token: SeDebugPrivilege	4380	updater.exe
Token: SeDebugPrivilege	4456	updater.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.execsc.execmd.exeupdater.execmd.exeupdater.execmd.exeupdater.execmd.exeupdater.execmd.exe

description	pid	Process	procid_target
PID 1280 wrote to memory of 4520	1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe	87
PID 1280 wrote to memory of 4520	1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe	87
PID 4520 wrote to memory of 4136	4520	csc.exe	89
PID 4520 wrote to memory of 4136	4520	csc.exe	89
PID 1280 wrote to memory of 4612	1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe	90
PID 1280 wrote to memory of 4612	1280	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe	90
PID 4612 wrote to memory of 1700	4612	cmd.exe	92
PID 4612 wrote to memory of 1700	4612	cmd.exe	92
PID 4612 wrote to memory of 4748	4612	cmd.exe	93
PID 4612 wrote to memory of 4748	4612	cmd.exe	93
PID 4612 wrote to memory of 404	4612	cmd.exe	95
PID 4612 wrote to memory of 404	4612	cmd.exe	95
PID 404 wrote to memory of 1872	404	updater.exe	111
PID 404 wrote to memory of 1872	404	updater.exe	111
PID 1872 wrote to memory of 4628	1872	cmd.exe	113
PID 1872 wrote to memory of 4628	1872	cmd.exe	113
PID 1872 wrote to memory of 4388	1872	cmd.exe	114
PID 1872 wrote to memory of 4388	1872	cmd.exe	114
PID 1872 wrote to memory of 3280	1872	cmd.exe	117
PID 1872 wrote to memory of 3280	1872	cmd.exe	117
PID 3280 wrote to memory of 2528	3280	updater.exe	119
PID 3280 wrote to memory of 2528	3280	updater.exe	119
PID 2528 wrote to memory of 1284	2528	cmd.exe	121
PID 2528 wrote to memory of 1284	2528	cmd.exe	121
PID 2528 wrote to memory of 4520	2528	cmd.exe	122
PID 2528 wrote to memory of 4520	2528	cmd.exe	122
PID 2528 wrote to memory of 4776	2528	cmd.exe	124
PID 2528 wrote to memory of 4776	2528	cmd.exe	124
PID 4776 wrote to memory of 5080	4776	updater.exe	126
PID 4776 wrote to memory of 5080	4776	updater.exe	126
PID 5080 wrote to memory of 2516	5080	cmd.exe	128
PID 5080 wrote to memory of 2516	5080	cmd.exe	128
PID 5080 wrote to memory of 2212	5080	cmd.exe	129
PID 5080 wrote to memory of 2212	5080	cmd.exe	129
PID 5080 wrote to memory of 4380	5080	cmd.exe	131
PID 5080 wrote to memory of 4380	5080	cmd.exe	131
PID 4380 wrote to memory of 3944	4380	updater.exe	134
PID 4380 wrote to memory of 3944	4380	updater.exe	134
PID 3944 wrote to memory of 2868	3944	cmd.exe	136
PID 3944 wrote to memory of 2868	3944	cmd.exe	136
PID 3944 wrote to memory of 404	3944	cmd.exe	137
PID 3944 wrote to memory of 404	3944	cmd.exe	137
PID 3944 wrote to memory of 4456	3944	cmd.exe	139
PID 3944 wrote to memory of 4456	3944	cmd.exe	139

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
"C:\Users\Admin\AppData\Local\Temp\7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xvts43ag\xvts43ag.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9451.tmp" "c:\Windows\System32\CSC77ED58047E7A48B2B821ADD92492A66F.TMP"
    3⤵
    PID:4136
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0vXXTAgmz2.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4612
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1700
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4748
- - C:\Users\Admin\AppData\Local\updater.exe
    "C:\Users\Admin\AppData\Local\updater.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:404
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5Iv7oqRV3w.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1872
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4628
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:4388
    - - C:\Users\Admin\AppData\Local\updater.exe
        
        "C:\Users\Admin\AppData\Local\updater.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3280
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QB3cAngPVs.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1284
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\updater.exe
        
        "C:\Users\Admin\AppData\Local\updater.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0LbarnS5IG.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2516
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\updater.exe
        
        "C:\Users\Admin\AppData\Local\updater.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SJ5NCAOpEX.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2868
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:404
        
        C:\Users\Admin\AppData\Local\updater.exe
        
        "C:\Users\Admin\AppData\Local\updater.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "updateru" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\updater.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "updater" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\updater.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "updateru" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\updater.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\updater.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Temp\0LbarnS5IG.bat

Filesize
168B

MD5
ebd6010f126579e063885b8a1b0237c8

SHA1
cb6e3fb04d1c3c79ac54bfb34783441d7ee061f9

SHA256
5cb9702a7cb52023f10c8fa758def62c632ac6a7b7aadfd285dca95cd4f0ce23

SHA512
742fc4e977f3a769736af7b5eaf08d1e06fa55dfc9959c41a438cbc9f936175759e4776d03c9bfd59bf6edc7a0049f8b1db11462a54bc6799ebc19d8d1b95018

Download Submit
C:\Users\Admin\AppData\Local\Temp\0vXXTAgmz2.bat

Filesize
216B

MD5
96cf4b257e1a85bd61f78d4a5762e115

SHA1
0f59aea48930d7f0d930bcee6d5e4f16d506c5e7

SHA256
8d72c0775abb2182d9943f3cac8c1be62cc107325b7a2a83c40c626c30bde9d5

SHA512
ba6dfdf209c21f47b64a605083834e28eb54a09156fc5aab04975a80ceaab91a1d0acb3a1c74f3cf6bcbbaa6e2b9648dac2089f72c573c8eb76380cba25cba5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5Iv7oqRV3w.bat

Filesize
216B

MD5
5ee31f4d7a4d0dcb85e351a5188fa3b6

SHA1
f4463751a441f743e33c03348747cd13ca662555

SHA256
e382caf7eaec6b67cf8c97c935e400ab48596f903e87fffc3509172b1291f352

SHA512
539ea6db8eedfeb74bad2e57987cc15c3014e19e318d51510318545a231e7ee1c86bc272165694f3cd787c5b61582cc889731f7c36eb526b10b1de57b8e80adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\QB3cAngPVs.bat

Filesize
168B

MD5
9ee78f7e7573f6cb3b393a263cecbefb

SHA1
0550c3dd8a35400b15ed326b07b975b4beb573d6

SHA256
157d7dc1917f63fc45db50919890f56c152c3e7b57c001c903b092a595f1f50b

SHA512
4ab9ce79e52909a46b11ca9b79e590a984e18dd980e8e99ed4f5860d15e482112d692b84d051952c93bca870ac6cc06a0f7a1bebec8dabc7339a2a710994a17c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9451.tmp

Filesize
1KB

MD5
5883e939c2cada974bd7ff56a88cc404

SHA1
f580fbcbbcbcae5a2b0b9b4594c7c00a5c8825ea

SHA256
73a82083e965798475de43cea7a4018130f8f4969446ea02ae0f623164745320

SHA512
ed3117dcf993f6e8b33e6756be370304d28fa2e2eabf116d953630710c07ecb7c5b7a19e57fe5c491415a60dfba8ad0be6154e609544602a39f68413ec3ee4ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\SJ5NCAOpEX.bat

Filesize
168B

MD5
3a53541b874e19209225e266cdeb6464

SHA1
df628627c1bb3f1016a9a6393d6db29051f27fec

SHA256
3bfbb5b056c3bde043bd4cf3c3ad4b0c05c7b9028e490f918831db42ce53c808

SHA512
a7063d91508047bf3f9c8638c182d1a3576ffc5d7db1c8292399a3ef71b79303b81409dcb186997d51f60d75260e120563f1359c514ccfb9f7a5e701519f26c3

Download Submit
C:\Users\Admin\AppData\Local\updater.exe

Filesize
1.8MB

MD5
4f964ada28fa2dde5c75d3c3682e69c4

SHA1
481a0ddc3dfd39147abf684b60b6a0b1dfbbc341

SHA256
7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945

SHA512
ab07c9602776dc062599a89eed9d38be2c95f563a9ed9c906e6c1066f80e5666f119c5a790a120bf626a73edd3cc178924262d41c0f65eb20fcf3b542a83dc68

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xvts43ag\xvts43ag.0.cs

Filesize
372B

MD5
208024239b93fc03e5a2a451824b9d17

SHA1
60b72ee5becbb59a094dc5526e252a5f00038274

SHA256
0e1ed822c045d17af6e3454bdce3bcdf64e9f5aae4fec348034edccca10f3a73

SHA512
60d54ee4ac89d8dcf2e6b90367f2d72175a1abd6a52abb9eddf7798b7de1d9b7b843e5d52fc3e0b01ac32dba6016d623221357b07da2f3007738acba0ee0e217

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xvts43ag\xvts43ag.cmdline

Filesize
235B

MD5
4c65a54af6bd438f7d7ca800974d85c8

SHA1
1ed5036a7c3061d65061734b38f02f1ca8a51323

SHA256
dd8fbf3ffccd68c782beb09433e97c5a494d4b14fd8d49a6ea6b91c15c29f2ec

SHA512
3354fcbfa91faa797e9da2a2b8ca7f96d8174104cfc30c4ade33c8fe78f84113acbb8624c14fb304e1fa3bd4821f498992c8c7b89ba1000ba84c8409f637d1ff

Download Submit
\??\c:\Windows\System32\CSC77ED58047E7A48B2B821ADD92492A66F.TMP

Filesize
1KB

MD5
65d5babddb4bd68783c40f9e3678613f

SHA1
71e76abb44dbea735b9faaccb8c0fad345b514f4

SHA256
d61a59849cacd91b8039a8e41a5b92a7f93e2d46c90791b9ba6b5f856008cd8f

SHA512
21223e9a32df265bb75093d1ebaa879880a947d25ac764f3452b9104893b05f2c8fe4150cb2465681df7a0554dcefdb7f623aaf54772ade878270f453ebc1bcf

Download Submit
memory/404-77-0x000000001BCC0000-0x000000001BDC2000-memory.dmp

Filesize
1.0MB

Download
memory/404-70-0x000000001BCC0000-0x000000001BDC2000-memory.dmp

Filesize
1.0MB

Download
memory/1280-15-0x000000001B390000-0x000000001B3A2000-memory.dmp

Filesize
72KB

Download
memory/1280-54-0x00007FFB66540000-0x00007FFB67001000-memory.dmp

Filesize
10.8MB

Download
memory/1280-23-0x0000000002850000-0x0000000002860000-memory.dmp

Filesize
64KB

Download
memory/1280-25-0x000000001B430000-0x000000001B48A000-memory.dmp

Filesize
360KB

Download
memory/1280-26-0x00007FFB66540000-0x00007FFB67001000-memory.dmp

Filesize
10.8MB

Download
memory/1280-28-0x000000001B320000-0x000000001B32E000-memory.dmp

Filesize
56KB

Download
memory/1280-30-0x000000001B490000-0x000000001B4DE000-memory.dmp

Filesize
312KB

Download
memory/1280-31-0x00007FFB66540000-0x00007FFB67001000-memory.dmp

Filesize
10.8MB

Download
memory/1280-34-0x00007FFB66540000-0x00007FFB67001000-memory.dmp

Filesize
10.8MB

Download
memory/1280-35-0x00007FFB66540000-0x00007FFB67001000-memory.dmp

Filesize
10.8MB

Download
memory/1280-36-0x00007FFB66540000-0x00007FFB67001000-memory.dmp

Filesize
10.8MB

Download
memory/1280-20-0x0000000002840000-0x000000000284E000-memory.dmp

Filesize
56KB

Download
memory/1280-18-0x000000001B3B0000-0x000000001B3C6000-memory.dmp

Filesize
88KB

Download
memory/1280-16-0x00007FFB66540000-0x00007FFB67001000-memory.dmp

Filesize
10.8MB

Download
memory/1280-0-0x00007FFB66543000-0x00007FFB66545000-memory.dmp

Filesize
8KB

Download
memory/1280-21-0x00007FFB66540000-0x00007FFB67001000-memory.dmp

Filesize
10.8MB

Download
memory/1280-13-0x0000000002830000-0x000000000283E000-memory.dmp

Filesize
56KB

Download
memory/1280-10-0x00000000029F0000-0x0000000002A08000-memory.dmp

Filesize
96KB

Download
memory/1280-11-0x00007FFB66540000-0x00007FFB67001000-memory.dmp

Filesize
10.8MB

Download
memory/1280-8-0x000000001B340000-0x000000001B390000-memory.dmp

Filesize
320KB

Download
memory/1280-7-0x0000000002810000-0x000000000282C000-memory.dmp

Filesize
112KB

Download
memory/1280-6-0x0000000002830000-0x000000000284C000-memory.dmp

Filesize
112KB

Download
memory/1280-1-0x00000000004D0000-0x000000000069A000-memory.dmp

Filesize
1.8MB

Download
memory/1280-2-0x00007FFB66540000-0x00007FFB67001000-memory.dmp

Filesize
10.8MB

Download
memory/1280-4-0x0000000002800000-0x000000000280E000-memory.dmp

Filesize
56KB

Download
memory/3280-98-0x000000001BFE0000-0x000000001C0E2000-memory.dmp

Filesize
1.0MB

Download
memory/3280-92-0x000000001BFE0000-0x000000001C0E2000-memory.dmp

Filesize
1.0MB

Download
memory/4776-112-0x000000001BFB0000-0x000000001C0B2000-memory.dmp

Filesize
1.0MB

Download
memory/4776-118-0x000000001BFB0000-0x000000001C0B2000-memory.dmp

Filesize
1.0MB

Download