dcrat | fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4667f5be1002ce912e5590cca8da93b6.exe
Size

1.5MB
MD5

4667f5be1002ce912e5590cca8da93b6
SHA1

2e408e483dd447b69d2e938218989265fbfdc2af
SHA256

fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e
SHA512

cdc57befaf7bad8917cc885b394f37d9dac3beabca5d07ab74cfee24f076dc088c2631ad2176dd7b9e62c555692b4c51e3280d5cf5d432ea5172db4ab8fa8c7f
SSDEEP

24576:YvpWPh9nUNea6cQ/VUPoF/VPwrEDgbqeFrQqvvlsDJ+drpDn3fQK/759qiuiMjTP:+W8NA/VUPoFVwrIIV+DJGfZ19qig

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	496	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2812	schtasks.exe	30

UAC bypass 3 TTPs 9 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4667f5be1002ce912e5590cca8da93b6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4667f5be1002ce912e5590cca8da93b6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4667f5be1002ce912e5590cca8da93b6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2684-1-0x0000000000810000-0x000000000099E000-memory.dmp	dcrat
behavioral1/files/0x0006000000016141-25.dat	dcrat
behavioral1/memory/584-35-0x00000000012E0000-0x000000000146E000-memory.dmp	dcrat
behavioral1/memory/1332-108-0x0000000000390000-0x000000000051E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2968	powershell.exe
776	powershell.exe
1328	powershell.exe
1028	powershell.exe
2020	powershell.exe
2004	powershell.exe
2700	powershell.exe
2788	powershell.exe
796	powershell.exe
760	powershell.exe
2016	powershell.exe
1324	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
584	dllhost.exe
1332	dllhost.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4667f5be1002ce912e5590cca8da93b6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4667f5be1002ce912e5590cca8da93b6.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\csrss.exe	4667f5be1002ce912e5590cca8da93b6.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\csrss.exe	4667f5be1002ce912e5590cca8da93b6.exe
File created	C:\Program Files (x86)\Google\Temp\886983d96e3d3e	4667f5be1002ce912e5590cca8da93b6.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe	4667f5be1002ce912e5590cca8da93b6.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\f3b6ecef712a24	4667f5be1002ce912e5590cca8da93b6.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\rescache\rc0005\4667f5be1002ce912e5590cca8da93b6.exe	4667f5be1002ce912e5590cca8da93b6.exe
File created	C:\Windows\Migration\WTR\smss.exe	4667f5be1002ce912e5590cca8da93b6.exe
File created	C:\Windows\Migration\WTR\69ddcba757bf72	4667f5be1002ce912e5590cca8da93b6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2884	schtasks.exe
2880	schtasks.exe
1616	schtasks.exe
2156	schtasks.exe
496	schtasks.exe
2928	schtasks.exe
2624	schtasks.exe
2604	schtasks.exe
2652	schtasks.exe
2704	schtasks.exe
2736	schtasks.exe
636	schtasks.exe
2000	schtasks.exe
2212	schtasks.exe
536	schtasks.exe
1236	schtasks.exe
1548	schtasks.exe
2088	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2684	4667f5be1002ce912e5590cca8da93b6.exe
2684	4667f5be1002ce912e5590cca8da93b6.exe
2684	4667f5be1002ce912e5590cca8da93b6.exe
2684	4667f5be1002ce912e5590cca8da93b6.exe
2684	4667f5be1002ce912e5590cca8da93b6.exe
1328	powershell.exe
2004	powershell.exe
2700	powershell.exe
1324	powershell.exe
2968	powershell.exe
2020	powershell.exe
2016	powershell.exe
2788	powershell.exe
1028	powershell.exe
796	powershell.exe
760	powershell.exe
776	powershell.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe
584	dllhost.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2684	4667f5be1002ce912e5590cca8da93b6.exe
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	796	powershell.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	584	dllhost.exe
Token: SeDebugPrivilege	1332	dllhost.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 776	2684	4667f5be1002ce912e5590cca8da93b6.exe	49
PID 2684 wrote to memory of 776	2684	4667f5be1002ce912e5590cca8da93b6.exe	49
PID 2684 wrote to memory of 776	2684	4667f5be1002ce912e5590cca8da93b6.exe	49
PID 2684 wrote to memory of 2004	2684	4667f5be1002ce912e5590cca8da93b6.exe	50
PID 2684 wrote to memory of 2004	2684	4667f5be1002ce912e5590cca8da93b6.exe	50
PID 2684 wrote to memory of 2004	2684	4667f5be1002ce912e5590cca8da93b6.exe	50
PID 2684 wrote to memory of 2700	2684	4667f5be1002ce912e5590cca8da93b6.exe	51
PID 2684 wrote to memory of 2700	2684	4667f5be1002ce912e5590cca8da93b6.exe	51
PID 2684 wrote to memory of 2700	2684	4667f5be1002ce912e5590cca8da93b6.exe	51
PID 2684 wrote to memory of 2788	2684	4667f5be1002ce912e5590cca8da93b6.exe	52
PID 2684 wrote to memory of 2788	2684	4667f5be1002ce912e5590cca8da93b6.exe	52
PID 2684 wrote to memory of 2788	2684	4667f5be1002ce912e5590cca8da93b6.exe	52
PID 2684 wrote to memory of 2968	2684	4667f5be1002ce912e5590cca8da93b6.exe	53
PID 2684 wrote to memory of 2968	2684	4667f5be1002ce912e5590cca8da93b6.exe	53
PID 2684 wrote to memory of 2968	2684	4667f5be1002ce912e5590cca8da93b6.exe	53
PID 2684 wrote to memory of 796	2684	4667f5be1002ce912e5590cca8da93b6.exe	54
PID 2684 wrote to memory of 796	2684	4667f5be1002ce912e5590cca8da93b6.exe	54
PID 2684 wrote to memory of 796	2684	4667f5be1002ce912e5590cca8da93b6.exe	54
PID 2684 wrote to memory of 2020	2684	4667f5be1002ce912e5590cca8da93b6.exe	55
PID 2684 wrote to memory of 2020	2684	4667f5be1002ce912e5590cca8da93b6.exe	55
PID 2684 wrote to memory of 2020	2684	4667f5be1002ce912e5590cca8da93b6.exe	55
PID 2684 wrote to memory of 760	2684	4667f5be1002ce912e5590cca8da93b6.exe	56
PID 2684 wrote to memory of 760	2684	4667f5be1002ce912e5590cca8da93b6.exe	56
PID 2684 wrote to memory of 760	2684	4667f5be1002ce912e5590cca8da93b6.exe	56
PID 2684 wrote to memory of 1328	2684	4667f5be1002ce912e5590cca8da93b6.exe	57
PID 2684 wrote to memory of 1328	2684	4667f5be1002ce912e5590cca8da93b6.exe	57
PID 2684 wrote to memory of 1328	2684	4667f5be1002ce912e5590cca8da93b6.exe	57
PID 2684 wrote to memory of 1028	2684	4667f5be1002ce912e5590cca8da93b6.exe	58
PID 2684 wrote to memory of 1028	2684	4667f5be1002ce912e5590cca8da93b6.exe	58
PID 2684 wrote to memory of 1028	2684	4667f5be1002ce912e5590cca8da93b6.exe	58
PID 2684 wrote to memory of 2016	2684	4667f5be1002ce912e5590cca8da93b6.exe	59
PID 2684 wrote to memory of 2016	2684	4667f5be1002ce912e5590cca8da93b6.exe	59
PID 2684 wrote to memory of 2016	2684	4667f5be1002ce912e5590cca8da93b6.exe	59
PID 2684 wrote to memory of 1324	2684	4667f5be1002ce912e5590cca8da93b6.exe	61
PID 2684 wrote to memory of 1324	2684	4667f5be1002ce912e5590cca8da93b6.exe	61
PID 2684 wrote to memory of 1324	2684	4667f5be1002ce912e5590cca8da93b6.exe	61
PID 2684 wrote to memory of 584	2684	4667f5be1002ce912e5590cca8da93b6.exe	68
PID 2684 wrote to memory of 584	2684	4667f5be1002ce912e5590cca8da93b6.exe	68
PID 2684 wrote to memory of 584	2684	4667f5be1002ce912e5590cca8da93b6.exe	68
PID 584 wrote to memory of 1988	584	dllhost.exe	74
PID 584 wrote to memory of 1988	584	dllhost.exe	74
PID 584 wrote to memory of 1988	584	dllhost.exe	74
PID 584 wrote to memory of 2880	584	dllhost.exe	75
PID 584 wrote to memory of 2880	584	dllhost.exe	75
PID 584 wrote to memory of 2880	584	dllhost.exe	75
PID 1988 wrote to memory of 1332	1988	WScript.exe	77
PID 1988 wrote to memory of 1332	1988	WScript.exe	77
PID 1988 wrote to memory of 1332	1988	WScript.exe	77

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4667f5be1002ce912e5590cca8da93b6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4667f5be1002ce912e5590cca8da93b6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4667f5be1002ce912e5590cca8da93b6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4667f5be1002ce912e5590cca8da93b6.exe
"C:\Users\Admin\AppData\Local\Temp\4667f5be1002ce912e5590cca8da93b6.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1324
- C:\Users\Default\Desktop\dllhost.exe
  "C:\Users\Default\Desktop\dllhost.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:584
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\058ac07a-ecb4-4a9c-a2f4-10651b3bf9cf.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Users\Default\Desktop\dllhost.exe
      C:\Users\Default\Desktop\dllhost.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of AdjustPrivilegeToken
      System policy modification
      PID:1332
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0afc64a0-f04e-4fa8-a500-e88572fff71d.vbs"
    3⤵
    PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Temp\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Desktop\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Desktop\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Desktop\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\Migration\WTR\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\Migration\WTR\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe

Filesize
1.5MB

MD5
4667f5be1002ce912e5590cca8da93b6

SHA1
2e408e483dd447b69d2e938218989265fbfdc2af

SHA256
fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e

SHA512
cdc57befaf7bad8917cc885b394f37d9dac3beabca5d07ab74cfee24f076dc088c2631ad2176dd7b9e62c555692b4c51e3280d5cf5d432ea5172db4ab8fa8c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\058ac07a-ecb4-4a9c-a2f4-10651b3bf9cf.vbs

Filesize
711B

MD5
1b1df5b3c4a8848dc104cce5c100fb71

SHA1
e5abfc73b36b14e192f4d187986bf60431c0d611

SHA256
ced5c3378fe734865195c47fefa06966b3034d20729902f6bd09dfe575fe489a

SHA512
db788381071f6bcf47cc3d91825959242c57cef7e28cf3e143eeb89f62c87a72ca57a122baae67d18aa7a3a473c9e9ec0948de9a4e536f2b44a620a087222b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\0afc64a0-f04e-4fa8-a500-e88572fff71d.vbs

Filesize
488B

MD5
e02d48255a4614775afb9fa373430c13

SHA1
28c0837f646d95732f5d3730687dac6d1b105263

SHA256
d80fe31c9841e5cedb7aec570249a0e4cac6e76c06a4bd98f199bad3532ff2d4

SHA512
0737fb2a20e517849a9e9565f6e8a03cebec96a53b128adb1d43805ecd56219439e53d1ef3bd6d927e4a0622d6721f00ad83e4a9c9077450f42ad81db0329daf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f587d61aa4624ba33a02cc54040661af

SHA1
61dba143b6dcb3b56ff250c9dd3dc752d00392d4

SHA256
8bae7a56ad96d24e66838f833130e231223ea91e23ee6fcab7dbdb4e1bd7abd6

SHA512
259ee1b7ced3942047bb732f9ef46da76e4d122d89a0f4a0539a9adf93cad39ea5923b695f29c3624b2063768b5590065a508689dee2368ee249987073210bdb

Download Submit
memory/584-35-0x00000000012E0000-0x000000000146E000-memory.dmp

Filesize
1.6MB

Download
memory/1332-108-0x0000000000390000-0x000000000051E000-memory.dmp

Filesize
1.6MB

Download
memory/2004-60-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2004-71-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/2684-6-0x0000000000490000-0x000000000049C000-memory.dmp

Filesize
48KB

Download
memory/2684-8-0x00000000007E0000-0x00000000007E8000-memory.dmp

Filesize
32KB

Download
memory/2684-11-0x00000000021C0000-0x00000000021CE000-memory.dmp

Filesize
56KB

Download
memory/2684-10-0x0000000000800000-0x000000000080A000-memory.dmp

Filesize
40KB

Download
memory/2684-13-0x00000000021E0000-0x00000000021EC000-memory.dmp

Filesize
48KB

Download
memory/2684-12-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/2684-16-0x000007FEF5480000-0x000007FEF5E6C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-15-0x0000000002200000-0x000000000220C000-memory.dmp

Filesize
48KB

Download
memory/2684-14-0x00000000021F0000-0x00000000021F8000-memory.dmp

Filesize
32KB

Download
memory/2684-9-0x00000000007F0000-0x00000000007FC000-memory.dmp

Filesize
48KB

Download
memory/2684-7-0x00000000007D0000-0x00000000007DC000-memory.dmp

Filesize
48KB

Download
memory/2684-0-0x000007FEF5483000-0x000007FEF5484000-memory.dmp

Filesize
4KB

Download
memory/2684-5-0x0000000000480000-0x000000000048A000-memory.dmp

Filesize
40KB

Download
memory/2684-4-0x00000000003E0000-0x00000000003F6000-memory.dmp

Filesize
88KB

Download
memory/2684-77-0x000007FEF5480000-0x000007FEF5E6C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-3-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/2684-2-0x000007FEF5480000-0x000007FEF5E6C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-1-0x0000000000810000-0x000000000099E000-memory.dmp

Filesize
1.6MB

Download