dcrat | 518d45fbe54aa405bf607284aca5e8c82e77d71d0af7ded560085fc4cd955e10

Analysis

max time kernel
118s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 18:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

518d45fbe54aa405bf607284aca5e8c82e77d71d0af7ded560085fc4cd955e10.exe
Size

1.9MB
MD5

0765641fdc0927089f66a0414361e75f
SHA1

b85dde760319d8acf68d19311841ad545a1964ea
SHA256

518d45fbe54aa405bf607284aca5e8c82e77d71d0af7ded560085fc4cd955e10
SHA512

ec58a57003b5ac73588619e4c4e894fbf654deded88757483949cc07391a09fa55c1c34c989a18c541c37661a927b90213e7955892f0d9880ca6f44067234b38
SSDEEP

49152:OB8cGLS7ffV/Vzxxlz58rJvfDddD5oLiVysr:QULwfZptzKFHD5ovsr

Score

10^/10

dcrat discovery execution infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2872	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2872	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2872	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2872	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2872	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2872	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2872	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2872	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2872	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2872	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2872	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2872	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2872	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2872	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2872	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2872	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2872	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2872	schtasks.exe	34

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1848	powershell.exe
848	powershell.exe
560	powershell.exe
528	powershell.exe
1032	powershell.exe
900	powershell.exe
920	powershell.exe
1592	powershell.exe
1796	powershell.exe
2168	powershell.exe
1772	powershell.exe
1336	powershell.exe
616	powershell.exe
1080	powershell.exe
1996	powershell.exe
2208	powershell.exe
1516	powershell.exe
800	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2988	WinRAR.exe
2628	services.exe

Loads dropped DLL 2 IoCs

pid	Process
2536	cmd.exe
2536	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ipinfo.io
7	ipinfo.io

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Performance\WinSAT\WinRAR.exe	WinRAR.exe
File opened for modification	C:\Windows\Performance\WinSAT\WinRAR.exe	WinRAR.exe
File created	C:\Windows\Performance\WinSAT\69c284df67157d	WinRAR.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\services.exe	WinRAR.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\c5b4cb5e9653cc	WinRAR.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	518d45fbe54aa405bf607284aca5e8c82e77d71d0af7ded560085fc4cd955e10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	services.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	services.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1708	schtasks.exe
2572	schtasks.exe
1160	schtasks.exe
2268	schtasks.exe
1904	schtasks.exe
2476	schtasks.exe
1476	schtasks.exe
2176	schtasks.exe
2976	schtasks.exe
1660	schtasks.exe
2752	schtasks.exe
1548	schtasks.exe
2556	schtasks.exe
2164	schtasks.exe
2980	schtasks.exe
2044	schtasks.exe
776	schtasks.exe
1728	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2988	WinRAR.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	616	powershell.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	920	powershell.exe
Token: SeDebugPrivilege	1080	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	900	powershell.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	848	powershell.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	800	powershell.exe
Token: SeDebugPrivilege	528	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	2628	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1812	1976	518d45fbe54aa405bf607284aca5e8c82e77d71d0af7ded560085fc4cd955e10.exe	30
PID 1976 wrote to memory of 1812	1976	518d45fbe54aa405bf607284aca5e8c82e77d71d0af7ded560085fc4cd955e10.exe	30
PID 1976 wrote to memory of 1812	1976	518d45fbe54aa405bf607284aca5e8c82e77d71d0af7ded560085fc4cd955e10.exe	30
PID 1976 wrote to memory of 1812	1976	518d45fbe54aa405bf607284aca5e8c82e77d71d0af7ded560085fc4cd955e10.exe	30
PID 1812 wrote to memory of 2536	1812	WScript.exe	31
PID 1812 wrote to memory of 2536	1812	WScript.exe	31
PID 1812 wrote to memory of 2536	1812	WScript.exe	31
PID 1812 wrote to memory of 2536	1812	WScript.exe	31
PID 2536 wrote to memory of 2988	2536	cmd.exe	33
PID 2536 wrote to memory of 2988	2536	cmd.exe	33
PID 2536 wrote to memory of 2988	2536	cmd.exe	33
PID 2536 wrote to memory of 2988	2536	cmd.exe	33
PID 2988 wrote to memory of 2208	2988	WinRAR.exe	53
PID 2988 wrote to memory of 2208	2988	WinRAR.exe	53
PID 2988 wrote to memory of 2208	2988	WinRAR.exe	53
PID 2988 wrote to memory of 2168	2988	WinRAR.exe	54
PID 2988 wrote to memory of 2168	2988	WinRAR.exe	54
PID 2988 wrote to memory of 2168	2988	WinRAR.exe	54
PID 2988 wrote to memory of 1848	2988	WinRAR.exe	55
PID 2988 wrote to memory of 1848	2988	WinRAR.exe	55
PID 2988 wrote to memory of 1848	2988	WinRAR.exe	55
PID 2988 wrote to memory of 1592	2988	WinRAR.exe	57
PID 2988 wrote to memory of 1592	2988	WinRAR.exe	57
PID 2988 wrote to memory of 1592	2988	WinRAR.exe	57
PID 2988 wrote to memory of 920	2988	WinRAR.exe	59
PID 2988 wrote to memory of 920	2988	WinRAR.exe	59
PID 2988 wrote to memory of 920	2988	WinRAR.exe	59
PID 2988 wrote to memory of 1796	2988	WinRAR.exe	60
PID 2988 wrote to memory of 1796	2988	WinRAR.exe	60
PID 2988 wrote to memory of 1796	2988	WinRAR.exe	60
PID 2988 wrote to memory of 1032	2988	WinRAR.exe	61
PID 2988 wrote to memory of 1032	2988	WinRAR.exe	61
PID 2988 wrote to memory of 1032	2988	WinRAR.exe	61
PID 2988 wrote to memory of 1516	2988	WinRAR.exe	62
PID 2988 wrote to memory of 1516	2988	WinRAR.exe	62
PID 2988 wrote to memory of 1516	2988	WinRAR.exe	62
PID 2988 wrote to memory of 1772	2988	WinRAR.exe	63
PID 2988 wrote to memory of 1772	2988	WinRAR.exe	63
PID 2988 wrote to memory of 1772	2988	WinRAR.exe	63
PID 2988 wrote to memory of 848	2988	WinRAR.exe	64
PID 2988 wrote to memory of 848	2988	WinRAR.exe	64
PID 2988 wrote to memory of 848	2988	WinRAR.exe	64
PID 2988 wrote to memory of 528	2988	WinRAR.exe	65
PID 2988 wrote to memory of 528	2988	WinRAR.exe	65
PID 2988 wrote to memory of 528	2988	WinRAR.exe	65
PID 2988 wrote to memory of 560	2988	WinRAR.exe	66
PID 2988 wrote to memory of 560	2988	WinRAR.exe	66
PID 2988 wrote to memory of 560	2988	WinRAR.exe	66
PID 2988 wrote to memory of 900	2988	WinRAR.exe	67
PID 2988 wrote to memory of 900	2988	WinRAR.exe	67
PID 2988 wrote to memory of 900	2988	WinRAR.exe	67
PID 2988 wrote to memory of 1996	2988	WinRAR.exe	68
PID 2988 wrote to memory of 1996	2988	WinRAR.exe	68
PID 2988 wrote to memory of 1996	2988	WinRAR.exe	68
PID 2988 wrote to memory of 1080	2988	WinRAR.exe	69
PID 2988 wrote to memory of 1080	2988	WinRAR.exe	69
PID 2988 wrote to memory of 1080	2988	WinRAR.exe	69
PID 2988 wrote to memory of 616	2988	WinRAR.exe	70
PID 2988 wrote to memory of 616	2988	WinRAR.exe	70
PID 2988 wrote to memory of 616	2988	WinRAR.exe	70
PID 2988 wrote to memory of 800	2988	WinRAR.exe	71
PID 2988 wrote to memory of 800	2988	WinRAR.exe	71
PID 2988 wrote to memory of 800	2988	WinRAR.exe	71
PID 2988 wrote to memory of 1336	2988	WinRAR.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\518d45fbe54aa405bf607284aca5e8c82e77d71d0af7ded560085fc4cd955e10.exe
"C:\Users\Admin\AppData\Local\Temp\518d45fbe54aa405bf607284aca5e8c82e77d71d0af7ded560085fc4cd955e10.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\chrome_BITS_8712_1425929850\Boot\Resources\root\bin\cache\WinRAR\tmp37171.WMC\data\winrar-x64-701\pl9xeMo94WjXLJpWDpGYGGDiS01KZtVSwJMEdv3jLCZMJWaQ84V863B.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\chrome_BITS_8712_1425929850\Boot\Resources\root\bin\cache\WinRAR\tmp37171.WMC\data\winrar-x64-701\TiuHlu4XhcAKoMZ02aF6pXhDoyLIxrmaBsj4qsAm38j7SD.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Users\Admin\AppData\Local\Temp\chrome_BITS_8712_1425929850\Boot\Resources\root\bin\cache\WinRAR\tmp37171.WMC\data\winrar-x64-701\WinRAR.exe
      "C:\Users\Admin\AppData\Local\Temp\chrome_BITS_8712_1425929850/Boot/Resources/root/bin/cache/WinRAR/tmp37171.WMC/data/winrar-x64-701/WinRAR.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:920
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\WinRAR.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\chrome_BITS_8712_1425929850\Boot\Resources\root\bin\cache\WinRAR\tmp37171.WMC\data\winrar-x64-701\WinRAR.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1336
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\02ugyd6lxS.bat"
        5⤵
        
        PID:2300
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2864
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1692
      - C:\Windows\BitLockerDiscoveryVolumeContents\services.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\services.exe"
        6⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WinRARW" /sc MINUTE /mo 12 /tr "'C:\Windows\Performance\WinSAT\WinRAR.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WinRAR" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\WinRAR.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WinRARW" /sc MINUTE /mo 12 /tr "'C:\Windows\Performance\WinSAT\WinRAR.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WinRARW" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\chrome_BITS_8712_1425929850\Boot\Resources\root\bin\cache\WinRAR\tmp37171.WMC\data\winrar-x64-701\WinRAR.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WinRAR" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\chrome_BITS_8712_1425929850\Boot\Resources\root\bin\cache\WinRAR\tmp37171.WMC\data\winrar-x64-701\WinRAR.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WinRARW" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\chrome_BITS_8712_1425929850\Boot\Resources\root\bin\cache\WinRAR\tmp37171.WMC\data\winrar-x64-701\WinRAR.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\02ugyd6lxS.bat

Filesize
232B

MD5
bea8bef97207f97f5e987c8c6a7fcd2f

SHA1
2a1310c928894c92196e670c46bf947859aee719

SHA256
5095041b8a07494c8e68cd4c6a683543027dd49baec09950fe05afa5cc1fc8e9

SHA512
a65a4d21f5aa99e01bf152be71f9cac988360afc161a4841ce7d7a9a0738e14f97467f56cab50855a69cfb2b228f71d52f1704b31c7b27c33424811f114b950c

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_BITS_8712_1425929850\Boot\Resources\root\bin\cache\WinRAR\tmp37171.WMC\data\winrar-x64-701\TiuHlu4XhcAKoMZ02aF6pXhDoyLIxrmaBsj4qsAm38j7SD.bat

Filesize
158B

MD5
3ba5ad0e1e86585a3da9885a82d72844

SHA1
2fcb6be966cdcc616bf5a0a61724b512bf445292

SHA256
ecbcd5229784807556c92a2963329ddbd1997a3b20cf7b99e0e423502a8211fa

SHA512
63feede3cabf145f9f6059bf0145518d0defb160752da724e1004f2b209a3050cf239694e2002c9e7400f42d3594ce27aacae559a79f763c66feea2e501e44d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_BITS_8712_1425929850\Boot\Resources\root\bin\cache\WinRAR\tmp37171.WMC\data\winrar-x64-701\pl9xeMo94WjXLJpWDpGYGGDiS01KZtVSwJMEdv3jLCZMJWaQ84V863B.vbe

Filesize
325B

MD5
f8b8414170b10f9ba16ba0efb6816b17

SHA1
8a03e25c550c17168bd6846f328dd942a1ceabde

SHA256
60bc0e26c80e5aa6d8da3865f8d1be9f7cce74a8e76f7b6646febdf2e676ab7a

SHA512
516fe1f932e6cd0ed52aed568acb25ebefa639455688cfd53dcd0362585926e5b9dfab9e23e980a9d237e7c1852e196948f28b8a62ba540aa3a25de6cacca9e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d2c113038bfddbe2954d20cac250d3e0

SHA1
9c942186b03b74b1c00629827f1302d7074488ed

SHA256
f8f15799040e604b66d26bc09625e49f4a3319c0d842c41619fca4738c6b353d

SHA512
aefd9e313b14dbbace1f0475cdf1c73f2799e2a98ef7191d710916eaf39059f227abc9d38402b28487c17a6f211bbab8bd5b7fd256ef16b16dc4cc0509394da3

Download Submit
memory/616-91-0x0000000002710000-0x0000000002718000-memory.dmp

Filesize
32KB

Download
memory/920-90-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2628-139-0x0000000000280000-0x0000000000480000-memory.dmp

Filesize
2.0MB

Download
memory/2988-17-0x00000000005C0000-0x00000000005DC000-memory.dmp

Filesize
112KB

Download
memory/2988-25-0x00000000005B0000-0x00000000005BE000-memory.dmp

Filesize
56KB

Download
memory/2988-27-0x00000000005E0000-0x00000000005E8000-memory.dmp

Filesize
32KB

Download
memory/2988-29-0x0000000000620000-0x000000000062C000-memory.dmp

Filesize
48KB

Download
memory/2988-23-0x00000000005A0000-0x00000000005AC000-memory.dmp

Filesize
48KB

Download
memory/2988-21-0x0000000000840000-0x0000000000852000-memory.dmp

Filesize
72KB

Download
memory/2988-19-0x0000000000600000-0x0000000000618000-memory.dmp

Filesize
96KB

Download
memory/2988-15-0x0000000000590000-0x000000000059E000-memory.dmp

Filesize
56KB

Download
memory/2988-13-0x00000000008A0000-0x0000000000AA0000-memory.dmp

Filesize
2.0MB

Download