dcrat | 7eca6fa06f08fcb6dc76333b8dca047e4b4603de9cd85cd84e93516fecc0fc89

Analysis

max time kernel
120s
max time network
146s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7eca6fa06f08fcb6dc76333b8dca047e4b4603de9cd85cd84e93516fecc0fc89.exe
Size

1.9MB
MD5

0ff4c4cd478f98ae17c254e75688d8c8
SHA1

33732dcae2c41811e780e75e8943b5cc794237eb
SHA256

7eca6fa06f08fcb6dc76333b8dca047e4b4603de9cd85cd84e93516fecc0fc89
SHA512

36e4fe1128e060c6add46c73d0242b1e425d073dc8ac7f373a7dcb275292e4804028270ac25246a8f145cea3e9253b0cbc46be3585a162bcc2411f146577563a
SSDEEP

49152:OB8cbBE21MiimB0IJRzISewyxLE2Zu5nUcAdhE:QN+w0aRkhQZ3AdhE

Score

10^/10

dcrat discovery execution infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	304	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2844	schtasks.exe	35

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1696	powershell.exe
1752	powershell.exe
1956	powershell.exe
1120	powershell.exe
768	powershell.exe
2160	powershell.exe
2148	powershell.exe
2464	powershell.exe
1320	powershell.exe
952	powershell.exe
984	powershell.exe
2204	powershell.exe
2628	powershell.exe
1264	powershell.exe
696	powershell.exe
2208	powershell.exe
848	powershell.exe
1624	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
1780	WinRAR.exe
2916	WinRAR.exe

Loads dropped DLL 2 IoCs

pid	Process
2052	cmd.exe
2052	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ipinfo.io
5	ipinfo.io

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Uninstall Information\spoolsv.exe	WinRAR.exe
File created	C:\Program Files (x86)\Uninstall Information\f3b6ecef712a24	WinRAR.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7eca6fa06f08fcb6dc76333b8dca047e4b4603de9cd85cd84e93516fecc0fc89.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	WinRAR.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	WinRAR.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2928	schtasks.exe
304	schtasks.exe
776	schtasks.exe
1608	schtasks.exe
2296	schtasks.exe
1572	schtasks.exe
2936	schtasks.exe
1492	schtasks.exe
2480	schtasks.exe
2060	schtasks.exe
2688	schtasks.exe
2752	schtasks.exe
1612	schtasks.exe
2764	schtasks.exe
2336	schtasks.exe
2044	schtasks.exe
2116	schtasks.exe
2384	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe
1780	WinRAR.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	1780	WinRAR.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	848	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeDebugPrivilege	984	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	952	powershell.exe
Token: SeDebugPrivilege	696	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	2916	WinRAR.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 2640	2596	7eca6fa06f08fcb6dc76333b8dca047e4b4603de9cd85cd84e93516fecc0fc89.exe	31
PID 2596 wrote to memory of 2640	2596	7eca6fa06f08fcb6dc76333b8dca047e4b4603de9cd85cd84e93516fecc0fc89.exe	31
PID 2596 wrote to memory of 2640	2596	7eca6fa06f08fcb6dc76333b8dca047e4b4603de9cd85cd84e93516fecc0fc89.exe	31
PID 2596 wrote to memory of 2640	2596	7eca6fa06f08fcb6dc76333b8dca047e4b4603de9cd85cd84e93516fecc0fc89.exe	31
PID 2640 wrote to memory of 2052	2640	WScript.exe	32
PID 2640 wrote to memory of 2052	2640	WScript.exe	32
PID 2640 wrote to memory of 2052	2640	WScript.exe	32
PID 2640 wrote to memory of 2052	2640	WScript.exe	32
PID 2052 wrote to memory of 1780	2052	cmd.exe	34
PID 2052 wrote to memory of 1780	2052	cmd.exe	34
PID 2052 wrote to memory of 1780	2052	cmd.exe	34
PID 2052 wrote to memory of 1780	2052	cmd.exe	34
PID 1780 wrote to memory of 2208	1780	WinRAR.exe	54
PID 1780 wrote to memory of 2208	1780	WinRAR.exe	54
PID 1780 wrote to memory of 2208	1780	WinRAR.exe	54
PID 1780 wrote to memory of 2148	1780	WinRAR.exe	55
PID 1780 wrote to memory of 2148	1780	WinRAR.exe	55
PID 1780 wrote to memory of 2148	1780	WinRAR.exe	55
PID 1780 wrote to memory of 2160	1780	WinRAR.exe	56
PID 1780 wrote to memory of 2160	1780	WinRAR.exe	56
PID 1780 wrote to memory of 2160	1780	WinRAR.exe	56
PID 1780 wrote to memory of 696	1780	WinRAR.exe	57
PID 1780 wrote to memory of 696	1780	WinRAR.exe	57
PID 1780 wrote to memory of 696	1780	WinRAR.exe	57
PID 1780 wrote to memory of 768	1780	WinRAR.exe	59
PID 1780 wrote to memory of 768	1780	WinRAR.exe	59
PID 1780 wrote to memory of 768	1780	WinRAR.exe	59
PID 1780 wrote to memory of 1320	1780	WinRAR.exe	61
PID 1780 wrote to memory of 1320	1780	WinRAR.exe	61
PID 1780 wrote to memory of 1320	1780	WinRAR.exe	61
PID 1780 wrote to memory of 952	1780	WinRAR.exe	63
PID 1780 wrote to memory of 952	1780	WinRAR.exe	63
PID 1780 wrote to memory of 952	1780	WinRAR.exe	63
PID 1780 wrote to memory of 2628	1780	WinRAR.exe	64
PID 1780 wrote to memory of 2628	1780	WinRAR.exe	64
PID 1780 wrote to memory of 2628	1780	WinRAR.exe	64
PID 1780 wrote to memory of 1264	1780	WinRAR.exe	65
PID 1780 wrote to memory of 1264	1780	WinRAR.exe	65
PID 1780 wrote to memory of 1264	1780	WinRAR.exe	65
PID 1780 wrote to memory of 2204	1780	WinRAR.exe	66
PID 1780 wrote to memory of 2204	1780	WinRAR.exe	66
PID 1780 wrote to memory of 2204	1780	WinRAR.exe	66
PID 1780 wrote to memory of 1624	1780	WinRAR.exe	67
PID 1780 wrote to memory of 1624	1780	WinRAR.exe	67
PID 1780 wrote to memory of 1624	1780	WinRAR.exe	67
PID 1780 wrote to memory of 1696	1780	WinRAR.exe	68
PID 1780 wrote to memory of 1696	1780	WinRAR.exe	68
PID 1780 wrote to memory of 1696	1780	WinRAR.exe	68
PID 1780 wrote to memory of 1120	1780	WinRAR.exe	69
PID 1780 wrote to memory of 1120	1780	WinRAR.exe	69
PID 1780 wrote to memory of 1120	1780	WinRAR.exe	69
PID 1780 wrote to memory of 1956	1780	WinRAR.exe	70
PID 1780 wrote to memory of 1956	1780	WinRAR.exe	70
PID 1780 wrote to memory of 1956	1780	WinRAR.exe	70
PID 1780 wrote to memory of 1752	1780	WinRAR.exe	71
PID 1780 wrote to memory of 1752	1780	WinRAR.exe	71
PID 1780 wrote to memory of 1752	1780	WinRAR.exe	71
PID 1780 wrote to memory of 2464	1780	WinRAR.exe	72
PID 1780 wrote to memory of 2464	1780	WinRAR.exe	72
PID 1780 wrote to memory of 2464	1780	WinRAR.exe	72
PID 1780 wrote to memory of 984	1780	WinRAR.exe	73
PID 1780 wrote to memory of 984	1780	WinRAR.exe	73
PID 1780 wrote to memory of 984	1780	WinRAR.exe	73
PID 1780 wrote to memory of 848	1780	WinRAR.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7eca6fa06f08fcb6dc76333b8dca047e4b4603de9cd85cd84e93516fecc0fc89.exe
"C:\Users\Admin\AppData\Local\Temp\7eca6fa06f08fcb6dc76333b8dca047e4b4603de9cd85cd84e93516fecc0fc89.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\chrome_BITS_6020_731137815\downloads\winrar-x64-701ru\nsyv1xzYu8VmbCzcG862c9WsvpRLyz7as0bRq7W1Tn2IOKgyOUASya2W1wA.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\chrome_BITS_6020_731137815\downloads\winrar-x64-701ru\uo5q9MISAlMxXE7QNA1x3M7bBFAcJOtmOsD1tooxlC0BMSBA7z5lsvUd.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Users\Admin\AppData\Local\Temp\chrome_BITS_6020_731137815\downloads\winrar-x64-701ru\WinRAR.exe
      "C:\Users\Admin\AppData\Local\Temp\chrome_BITS_6020_731137815/downloads/winrar-x64-701ru/WinRAR.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1120
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2464
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\chrome_BITS_6020_731137815\downloads\winrar-x64-701ru\WinRAR.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:848
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ykpc9SkVMY.bat"
        5⤵
        
        PID:868
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2916
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3064
      - C:\Users\Admin\AppData\Local\Temp\chrome_BITS_6020_731137815\downloads\winrar-x64-701ru\WinRAR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\chrome_BITS_6020_731137815\downloads\winrar-x64-701ru\WinRAR.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Recent\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Recent\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Recent\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WinRARW" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\chrome_BITS_6020_731137815\downloads\winrar-x64-701ru\WinRAR.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WinRAR" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\chrome_BITS_6020_731137815\downloads\winrar-x64-701ru\WinRAR.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WinRARW" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\chrome_BITS_6020_731137815\downloads\winrar-x64-701ru\WinRAR.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\chrome_BITS_6020_731137815\downloads\winrar-x64-701ru\nsyv1xzYu8VmbCzcG862c9WsvpRLyz7as0bRq7W1Tn2IOKgyOUASya2W1wA.vbe

Filesize
291B

MD5
e38ee1ac82a0f98f97f2d0f65c43f07c

SHA1
826e06d85af422da26e3baac2b8370d762b13de5

SHA256
b492062f1785a2205acc1de649539bd3db3e328eab63a9457d18e54e2cca6c20

SHA512
02f52a592eba58be3911b4a220b00d6be70b08bb209e9f9d1f79e841abd1d5dee0ec8c784232100002c6fe26e41cb83b2881cf8c934de5bc2b80a87bf682b542

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_BITS_6020_731137815\downloads\winrar-x64-701ru\uo5q9MISAlMxXE7QNA1x3M7bBFAcJOtmOsD1tooxlC0BMSBA7z5lsvUd.bat

Filesize
115B

MD5
a3481864c868c617f8cf22bc2ea205b1

SHA1
3bc448934cf9c65607ca095c43fff6185847fe6f

SHA256
adda8c60ddbc883929dc8b08371940c5601993cea525d4f5f3e22ded9cf42304

SHA512
a5ed9fadad223a03ba756c3798d74dcc1d2e67572dcf22717137d48de4661eea102327e8346b3518a943bd43a0df1857b95143028478ff8974b7236666ca8ef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykpc9SkVMY.bat

Filesize
274B

MD5
dbf1ed099b515bebeefbac2e94c083b1

SHA1
46f627a2428704acd4ed60dcd0db979e60c795f9

SHA256
ed1c26d00fe238822e38a3526287377f8bcc7e9ae0a296b3e43534236752e7f3

SHA512
d2c08ee0cf260703740447a34fda69b160f626cc999aec35e8e149d228f4d88158edd64ed0046ddfcaf638e99b9b534abdf2f0abb85dfb1a1355fb3d28e41911

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TK2R13OWBGFP63MSF6UO.temp

Filesize
7KB

MD5
caf4d33138646b3737eb3b033d0c8af7

SHA1
ffcda092d07da5423d80d183c407294e2a45e5e1

SHA256
fbc3148ade56b42f5968d3628a36a460e1dd1ab7492ed3c08dfbae52784bdb63

SHA512
30e9bbefd8f340b6de8a2e2be8b07ce04624c4f48155b3b6db0430797c86e0583b0d2d4a8c213edbf782315200803bf4b9151e4bbb5333053ff329e06b80bd92

Download Submit
memory/1320-101-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/1624-136-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/1780-17-0x0000000000440000-0x000000000045C000-memory.dmp

Filesize
112KB

Download
memory/1780-23-0x0000000000220000-0x000000000022C000-memory.dmp

Filesize
48KB

Download
memory/1780-25-0x0000000000230000-0x000000000023E000-memory.dmp

Filesize
56KB

Download
memory/1780-27-0x0000000000720000-0x0000000000728000-memory.dmp

Filesize
32KB

Download
memory/1780-29-0x0000000000840000-0x000000000084C000-memory.dmp

Filesize
48KB

Download
memory/1780-21-0x0000000000680000-0x0000000000692000-memory.dmp

Filesize
72KB

Download
memory/1780-19-0x0000000000460000-0x0000000000478000-memory.dmp

Filesize
96KB

Download
memory/1780-15-0x0000000000210000-0x000000000021E000-memory.dmp

Filesize
56KB

Download
memory/1780-13-0x0000000000240000-0x0000000000440000-memory.dmp

Filesize
2.0MB

Download
memory/2916-138-0x00000000010B0000-0x00000000012B0000-memory.dmp

Filesize
2.0MB

Download