dcrat | 518d45fbe54aa405bf607284aca5e8c82e77d71d0af7ded560085fc4cd955e10

Analysis

max time kernel
117s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 18:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

518d45fbe54aa405bf607284aca5e8c82e77d71d0af7ded560085fc4cd955e10.exe
Size

1.9MB
MD5

0765641fdc0927089f66a0414361e75f
SHA1

b85dde760319d8acf68d19311841ad545a1964ea
SHA256

518d45fbe54aa405bf607284aca5e8c82e77d71d0af7ded560085fc4cd955e10
SHA512

ec58a57003b5ac73588619e4c4e894fbf654deded88757483949cc07391a09fa55c1c34c989a18c541c37661a927b90213e7955892f0d9880ca6f44067234b38
SSDEEP

49152:OB8cGLS7ffV/Vzxxlz58rJvfDddD5oLiVysr:QULwfZptzKFHD5ovsr

Score

10^/10

dcrat discovery execution infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2760	schtasks.exe	34

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2192	powershell.exe
2200	powershell.exe
1616	powershell.exe
2204	powershell.exe
2044	powershell.exe
1596	powershell.exe
1488	powershell.exe
1248	powershell.exe
832	powershell.exe
1128	powershell.exe
2248	powershell.exe
3008	powershell.exe
2156	powershell.exe
2392	powershell.exe
2424	powershell.exe
1356	powershell.exe
1664	powershell.exe
2436	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2128	WinRAR.exe
1980	spoolsv.exe

Loads dropped DLL 2 IoCs

pid	Process
2832	cmd.exe
2832	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ipinfo.io
8	ipinfo.io

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\Accessories\fr-FR\6203df4a6bafc7	WinRAR.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\Idle.exe	WinRAR.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\6ccacd8608530f	WinRAR.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\taskhost.exe	WinRAR.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\b75386f1303e64	WinRAR.exe
File created	C:\Program Files\Windows NT\Accessories\fr-FR\lsass.exe	WinRAR.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\fr-FR\lsass.exe	WinRAR.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\twain_32\886983d96e3d3e	WinRAR.exe
File created	C:\Windows\twain_32\csrss.exe	WinRAR.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	518d45fbe54aa405bf607284aca5e8c82e77d71d0af7ded560085fc4cd955e10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2604	PING.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	spoolsv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	spoolsv.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2604	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
768	schtasks.exe
2756	schtasks.exe
2884	schtasks.exe
2264	schtasks.exe
2564	schtasks.exe
1120	schtasks.exe
1572	schtasks.exe
972	schtasks.exe
264	schtasks.exe
1744	schtasks.exe
2780	schtasks.exe
1492	schtasks.exe
2088	schtasks.exe
2540	schtasks.exe
1976	schtasks.exe
2104	schtasks.exe
2856	schtasks.exe
2164	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe
2128	WinRAR.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2128	WinRAR.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	832	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	1128	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	1980	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 2636	1716	518d45fbe54aa405bf607284aca5e8c82e77d71d0af7ded560085fc4cd955e10.exe	30
PID 1716 wrote to memory of 2636	1716	518d45fbe54aa405bf607284aca5e8c82e77d71d0af7ded560085fc4cd955e10.exe	30
PID 1716 wrote to memory of 2636	1716	518d45fbe54aa405bf607284aca5e8c82e77d71d0af7ded560085fc4cd955e10.exe	30
PID 1716 wrote to memory of 2636	1716	518d45fbe54aa405bf607284aca5e8c82e77d71d0af7ded560085fc4cd955e10.exe	30
PID 2636 wrote to memory of 2832	2636	WScript.exe	31
PID 2636 wrote to memory of 2832	2636	WScript.exe	31
PID 2636 wrote to memory of 2832	2636	WScript.exe	31
PID 2636 wrote to memory of 2832	2636	WScript.exe	31
PID 2832 wrote to memory of 2128	2832	cmd.exe	33
PID 2832 wrote to memory of 2128	2832	cmd.exe	33
PID 2832 wrote to memory of 2128	2832	cmd.exe	33
PID 2832 wrote to memory of 2128	2832	cmd.exe	33
PID 2128 wrote to memory of 2436	2128	WinRAR.exe	53
PID 2128 wrote to memory of 2436	2128	WinRAR.exe	53
PID 2128 wrote to memory of 2436	2128	WinRAR.exe	53
PID 2128 wrote to memory of 2156	2128	WinRAR.exe	54
PID 2128 wrote to memory of 2156	2128	WinRAR.exe	54
PID 2128 wrote to memory of 2156	2128	WinRAR.exe	54
PID 2128 wrote to memory of 2200	2128	WinRAR.exe	55
PID 2128 wrote to memory of 2200	2128	WinRAR.exe	55
PID 2128 wrote to memory of 2200	2128	WinRAR.exe	55
PID 2128 wrote to memory of 2192	2128	WinRAR.exe	56
PID 2128 wrote to memory of 2192	2128	WinRAR.exe	56
PID 2128 wrote to memory of 2192	2128	WinRAR.exe	56
PID 2128 wrote to memory of 2392	2128	WinRAR.exe	59
PID 2128 wrote to memory of 2392	2128	WinRAR.exe	59
PID 2128 wrote to memory of 2392	2128	WinRAR.exe	59
PID 2128 wrote to memory of 2204	2128	WinRAR.exe	60
PID 2128 wrote to memory of 2204	2128	WinRAR.exe	60
PID 2128 wrote to memory of 2204	2128	WinRAR.exe	60
PID 2128 wrote to memory of 3008	2128	WinRAR.exe	62
PID 2128 wrote to memory of 3008	2128	WinRAR.exe	62
PID 2128 wrote to memory of 3008	2128	WinRAR.exe	62
PID 2128 wrote to memory of 1488	2128	WinRAR.exe	63
PID 2128 wrote to memory of 1488	2128	WinRAR.exe	63
PID 2128 wrote to memory of 1488	2128	WinRAR.exe	63
PID 2128 wrote to memory of 2044	2128	WinRAR.exe	64
PID 2128 wrote to memory of 2044	2128	WinRAR.exe	64
PID 2128 wrote to memory of 2044	2128	WinRAR.exe	64
PID 2128 wrote to memory of 1616	2128	WinRAR.exe	66
PID 2128 wrote to memory of 1616	2128	WinRAR.exe	66
PID 2128 wrote to memory of 1616	2128	WinRAR.exe	66
PID 2128 wrote to memory of 2248	2128	WinRAR.exe	68
PID 2128 wrote to memory of 2248	2128	WinRAR.exe	68
PID 2128 wrote to memory of 2248	2128	WinRAR.exe	68
PID 2128 wrote to memory of 1664	2128	WinRAR.exe	69
PID 2128 wrote to memory of 1664	2128	WinRAR.exe	69
PID 2128 wrote to memory of 1664	2128	WinRAR.exe	69
PID 2128 wrote to memory of 1128	2128	WinRAR.exe	72
PID 2128 wrote to memory of 1128	2128	WinRAR.exe	72
PID 2128 wrote to memory of 1128	2128	WinRAR.exe	72
PID 2128 wrote to memory of 832	2128	WinRAR.exe	74
PID 2128 wrote to memory of 832	2128	WinRAR.exe	74
PID 2128 wrote to memory of 832	2128	WinRAR.exe	74
PID 2128 wrote to memory of 1356	2128	WinRAR.exe	76
PID 2128 wrote to memory of 1356	2128	WinRAR.exe	76
PID 2128 wrote to memory of 1356	2128	WinRAR.exe	76
PID 2128 wrote to memory of 1596	2128	WinRAR.exe	77
PID 2128 wrote to memory of 1596	2128	WinRAR.exe	77
PID 2128 wrote to memory of 1596	2128	WinRAR.exe	77
PID 2128 wrote to memory of 2424	2128	WinRAR.exe	78
PID 2128 wrote to memory of 2424	2128	WinRAR.exe	78
PID 2128 wrote to memory of 2424	2128	WinRAR.exe	78
PID 2128 wrote to memory of 1248	2128	WinRAR.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\518d45fbe54aa405bf607284aca5e8c82e77d71d0af7ded560085fc4cd955e10.exe
"C:\Users\Admin\AppData\Local\Temp\518d45fbe54aa405bf607284aca5e8c82e77d71d0af7ded560085fc4cd955e10.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\chrome_BITS_8712_1425929850\Boot\Resources\root\bin\cache\WinRAR\tmp37171.WMC\data\winrar-x64-701\pl9xeMo94WjXLJpWDpGYGGDiS01KZtVSwJMEdv3jLCZMJWaQ84V863B.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\chrome_BITS_8712_1425929850\Boot\Resources\root\bin\cache\WinRAR\tmp37171.WMC\data\winrar-x64-701\TiuHlu4XhcAKoMZ02aF6pXhDoyLIxrmaBsj4qsAm38j7SD.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Users\Admin\AppData\Local\Temp\chrome_BITS_8712_1425929850\Boot\Resources\root\bin\cache\WinRAR\tmp37171.WMC\data\winrar-x64-701\WinRAR.exe
      "C:\Users\Admin\AppData\Local\Temp\chrome_BITS_8712_1425929850/Boot/Resources/root/bin/cache/WinRAR/tmp37171.WMC/data/winrar-x64-701/WinRAR.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2128
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Music\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1128
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\fr-FR\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\chrome_BITS_8712_1425929850\Boot\Resources\root\bin\cache\WinRAR\tmp37171.WMC\data\winrar-x64-701\WinRAR.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\K8DZUixLn8.bat"
        5⤵
        
        PID:2284
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2796
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2604
      - C:\Users\Default\Music\spoolsv.exe
        
        "C:\Users\Default\Music\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Music\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\Music\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Music\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\twain_32\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\twain_32\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\twain_32\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office14\1033\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\1033\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WinRARW" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\chrome_BITS_8712_1425929850\Boot\Resources\root\bin\cache\WinRAR\tmp37171.WMC\data\winrar-x64-701\WinRAR.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WinRAR" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\chrome_BITS_8712_1425929850\Boot\Resources\root\bin\cache\WinRAR\tmp37171.WMC\data\winrar-x64-701\WinRAR.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WinRARW" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\chrome_BITS_8712_1425929850\Boot\Resources\root\bin\cache\WinRAR\tmp37171.WMC\data\winrar-x64-701\WinRAR.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\K8DZUixLn8.bat

Filesize
162B

MD5
9294837dde83bb3daf207950ee793dbe

SHA1
06fd6a10832f90372edbfec5d0c3ddebe5af4f64

SHA256
d1ce0dd0969a87fdcd439912d59e44869243bbc5aa88a07d1be6bd25ab5ea083

SHA512
017efbee5c96fed47fa0dc407c948b77a9cc80f2ded9ed19ae4a126397b50c9d379d2682d705bfbc82cd21b546e36d100c4a03e4f6c86deeea0cd412f51d30fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_BITS_8712_1425929850\Boot\Resources\root\bin\cache\WinRAR\tmp37171.WMC\data\winrar-x64-701\TiuHlu4XhcAKoMZ02aF6pXhDoyLIxrmaBsj4qsAm38j7SD.bat

Filesize
158B

MD5
3ba5ad0e1e86585a3da9885a82d72844

SHA1
2fcb6be966cdcc616bf5a0a61724b512bf445292

SHA256
ecbcd5229784807556c92a2963329ddbd1997a3b20cf7b99e0e423502a8211fa

SHA512
63feede3cabf145f9f6059bf0145518d0defb160752da724e1004f2b209a3050cf239694e2002c9e7400f42d3594ce27aacae559a79f763c66feea2e501e44d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_BITS_8712_1425929850\Boot\Resources\root\bin\cache\WinRAR\tmp37171.WMC\data\winrar-x64-701\pl9xeMo94WjXLJpWDpGYGGDiS01KZtVSwJMEdv3jLCZMJWaQ84V863B.vbe

Filesize
325B

MD5
f8b8414170b10f9ba16ba0efb6816b17

SHA1
8a03e25c550c17168bd6846f328dd942a1ceabde

SHA256
60bc0e26c80e5aa6d8da3865f8d1be9f7cce74a8e76f7b6646febdf2e676ab7a

SHA512
516fe1f932e6cd0ed52aed568acb25ebefa639455688cfd53dcd0362585926e5b9dfab9e23e980a9d237e7c1852e196948f28b8a62ba540aa3a25de6cacca9e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
81a3140374a5f59925a85da53c3f96a6

SHA1
6ba5e2dc596d03765c82eb6579c07f91a2c1867f

SHA256
041c5a1c8214f3669a05db5b67ce6bbe09f63a1c5e582c0fb5bf851edcb13367

SHA512
2dbf22125207174ac211a67ef08476b8d859c99e4f95da1bfcc2ed007c02551c7ea0a6847a3dd58464dbf60df5e0e5c7f23c02bf79b16b08b858db9b022597e0

Download Submit
memory/1616-85-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/1980-131-0x00000000000D0000-0x00000000002D0000-memory.dmp

Filesize
2.0MB

Download
memory/2128-17-0x00000000006D0000-0x00000000006EC000-memory.dmp

Filesize
112KB

Download
memory/2128-23-0x00000000006A0000-0x00000000006AC000-memory.dmp

Filesize
48KB

Download
memory/2128-25-0x00000000006B0000-0x00000000006BE000-memory.dmp

Filesize
56KB

Download
memory/2128-27-0x0000000000730000-0x0000000000738000-memory.dmp

Filesize
32KB

Download
memory/2128-29-0x0000000000740000-0x000000000074C000-memory.dmp

Filesize
48KB

Download
memory/2128-21-0x0000000000710000-0x0000000000722000-memory.dmp

Filesize
72KB

Download
memory/2128-19-0x00000000006F0000-0x0000000000708000-memory.dmp

Filesize
96KB

Download
memory/2128-15-0x0000000000610000-0x000000000061E000-memory.dmp

Filesize
56KB

Download
memory/2128-13-0x0000000000310000-0x0000000000510000-memory.dmp

Filesize
2.0MB

Download
memory/3008-128-0x0000000002890000-0x0000000002898000-memory.dmp

Filesize
32KB

Download