dcrat | a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473

Analysis

max time kernel
138s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-12-2024 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473.exe
Size

1.8MB
MD5

4952c912c225b6b8938322dbdd9a9783
SHA1

33317daf672163d262782f65765971b1ae8007b5
SHA256

a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473
SHA512

582d1e2689332ac644954c77a9edc691e6360d4390ccc53bf22d12d77e82ec2ada21204bd006e5092989a9d9cef6a1c956b899110cf652218911f0277b6a997e
SSDEEP

24576:lTbBv5rUKDF1CAWfaC+ZeyMhYVHsVAq7KvsQCvwi5xLoJBLxqaFnvdioFnewSr/3:PBjF1hWYqVjwrCYi7MPhn5n3azk8

Score

10^/10

dcrat discovery execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\dwm.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dllhost.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\explorer.exe\", \"C:\\Users\\Default\\Start Menu\\csrss.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\dwm.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dllhost.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\explorer.exe\", \"C:\\Users\\Default\\Start Menu\\csrss.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\Idle.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\dwm.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dllhost.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\explorer.exe\", \"C:\\Users\\Default\\Start Menu\\csrss.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\Idle.exe\", \"C:\\Componentperf\\componentdll.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\dwm.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\dwm.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dllhost.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\dwm.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dllhost.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\explorer.exe\""	componentdll.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	2800	schtasks.exe	34

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
904	powershell.exe
868	powershell.exe
1512	powershell.exe
2500	powershell.exe
2316	powershell.exe
1312	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
2796	componentdll.exe
2556	componentdll.exe
2156	componentdll.exe

Loads dropped DLL 2 IoCs

pid	Process
2864	cmd.exe
2864	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\explorer.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\explorer.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default\\Start Menu\\csrss.exe\""	componentdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\Idle.exe\""	componentdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\componentdll = "\"C:\\Componentperf\\componentdll.exe\""	componentdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\dwm.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\dwm.exe\""	componentdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dllhost.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\componentdll = "\"C:\\Componentperf\\componentdll.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dllhost.exe\""	componentdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default\\Start Menu\\csrss.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\Idle.exe\""	componentdll.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC774021434688420AA34974B8A373451A.TMP	csc.exe
File created	\??\c:\Windows\System32\byyuy-.exe	csc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2124	schtasks.exe
1992	schtasks.exe
2236	schtasks.exe
2868	schtasks.exe
1440	schtasks.exe
1432	schtasks.exe
2352	schtasks.exe
1080	schtasks.exe
308	schtasks.exe
1528	schtasks.exe
2156	schtasks.exe
1140	schtasks.exe
2368	schtasks.exe
2928	schtasks.exe
1772	schtasks.exe
884	schtasks.exe
664	schtasks.exe
588	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe
2796	componentdll.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2796	componentdll.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	904	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	2556	componentdll.exe
Token: SeDebugPrivilege	2156	componentdll.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2776	3048	a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473.exe	30
PID 3048 wrote to memory of 2776	3048	a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473.exe	30
PID 3048 wrote to memory of 2776	3048	a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473.exe	30
PID 3048 wrote to memory of 2776	3048	a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473.exe	30
PID 2776 wrote to memory of 2864	2776	WScript.exe	31
PID 2776 wrote to memory of 2864	2776	WScript.exe	31
PID 2776 wrote to memory of 2864	2776	WScript.exe	31
PID 2776 wrote to memory of 2864	2776	WScript.exe	31
PID 2864 wrote to memory of 2796	2864	cmd.exe	33
PID 2864 wrote to memory of 2796	2864	cmd.exe	33
PID 2864 wrote to memory of 2796	2864	cmd.exe	33
PID 2864 wrote to memory of 2796	2864	cmd.exe	33
PID 2796 wrote to memory of 1504	2796	componentdll.exe	38
PID 2796 wrote to memory of 1504	2796	componentdll.exe	38
PID 2796 wrote to memory of 1504	2796	componentdll.exe	38
PID 1504 wrote to memory of 1936	1504	csc.exe	40
PID 1504 wrote to memory of 1936	1504	csc.exe	40
PID 1504 wrote to memory of 1936	1504	csc.exe	40
PID 2796 wrote to memory of 2500	2796	componentdll.exe	56
PID 2796 wrote to memory of 2500	2796	componentdll.exe	56
PID 2796 wrote to memory of 2500	2796	componentdll.exe	56
PID 2796 wrote to memory of 2316	2796	componentdll.exe	57
PID 2796 wrote to memory of 2316	2796	componentdll.exe	57
PID 2796 wrote to memory of 2316	2796	componentdll.exe	57
PID 2796 wrote to memory of 1312	2796	componentdll.exe	58
PID 2796 wrote to memory of 1312	2796	componentdll.exe	58
PID 2796 wrote to memory of 1312	2796	componentdll.exe	58
PID 2796 wrote to memory of 904	2796	componentdll.exe	59
PID 2796 wrote to memory of 904	2796	componentdll.exe	59
PID 2796 wrote to memory of 904	2796	componentdll.exe	59
PID 2796 wrote to memory of 868	2796	componentdll.exe	60
PID 2796 wrote to memory of 868	2796	componentdll.exe	60
PID 2796 wrote to memory of 868	2796	componentdll.exe	60
PID 2796 wrote to memory of 1512	2796	componentdll.exe	61
PID 2796 wrote to memory of 1512	2796	componentdll.exe	61
PID 2796 wrote to memory of 1512	2796	componentdll.exe	61
PID 2796 wrote to memory of 1960	2796	componentdll.exe	62
PID 2796 wrote to memory of 1960	2796	componentdll.exe	62
PID 2796 wrote to memory of 1960	2796	componentdll.exe	62
PID 1960 wrote to memory of 268	1960	cmd.exe	70
PID 1960 wrote to memory of 268	1960	cmd.exe	70
PID 1960 wrote to memory of 268	1960	cmd.exe	70
PID 1960 wrote to memory of 2944	1960	cmd.exe	71
PID 1960 wrote to memory of 2944	1960	cmd.exe	71
PID 1960 wrote to memory of 2944	1960	cmd.exe	71
PID 1960 wrote to memory of 2556	1960	cmd.exe	72
PID 1960 wrote to memory of 2556	1960	cmd.exe	72
PID 1960 wrote to memory of 2556	1960	cmd.exe	72
PID 2556 wrote to memory of 2432	2556	componentdll.exe	74
PID 2556 wrote to memory of 2432	2556	componentdll.exe	74
PID 2556 wrote to memory of 2432	2556	componentdll.exe	74
PID 2432 wrote to memory of 2476	2432	cmd.exe	76
PID 2432 wrote to memory of 2476	2432	cmd.exe	76
PID 2432 wrote to memory of 2476	2432	cmd.exe	76
PID 2432 wrote to memory of 2932	2432	cmd.exe	77
PID 2432 wrote to memory of 2932	2432	cmd.exe	77
PID 2432 wrote to memory of 2932	2432	cmd.exe	77
PID 2432 wrote to memory of 2156	2432	cmd.exe	78
PID 2432 wrote to memory of 2156	2432	cmd.exe	78
PID 2432 wrote to memory of 2156	2432	cmd.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473.exe
"C:\Users\Admin\AppData\Local\Temp\a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Componentperf\cfktGpUTtRSX2yQKRIoM3JndHvk9YcKcheeigUIMecfNqLjRtVUp9sGs.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Componentperf\SQ9jEh0oYRCdpe0w7L4R7l.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Componentperf\componentdll.exe
      "C:\Componentperf/componentdll.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hebmctok\hebmctok.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1504
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES45B7.tmp" "c:\Windows\System32\CSC774021434688420AA34974B8A373451A.TMP"
        6⤵
        
        PID:1936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Start Menu\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Componentperf\componentdll.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\URatn9mGg0.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1960
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:268
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2944
      - C:\Componentperf\componentdll.exe
        
        "C:\Componentperf\componentdll.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QcyIS95rA8.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2476
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2932
        
        C:\Componentperf\componentdll.exe
        
        "C:\Componentperf\componentdll.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Start Menu\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Start Menu\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "componentdllc" /sc MINUTE /mo 13 /tr "'C:\Componentperf\componentdll.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "componentdll" /sc ONLOGON /tr "'C:\Componentperf\componentdll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "componentdllc" /sc MINUTE /mo 14 /tr "'C:\Componentperf\componentdll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Componentperf\SQ9jEh0oYRCdpe0w7L4R7l.bat

Filesize
94B

MD5
38245dfef92b3892bef514a4f569b043

SHA1
2e96ba9b418200bfb9e33544f3669cf452d27f27

SHA256
86e2a7dce38cdc6eb73f29c05352980861c22db7268140b777b07b21f9f5dd0d

SHA512
2b0dd13c4214e217ded08ec4807bea9a3d70fab80492056ce028db234b5347bc1592025cbf39fca58dfe7aeb72f78493cd137fa658ecf334d84821e47a20724c

Download Submit
C:\Componentperf\cfktGpUTtRSX2yQKRIoM3JndHvk9YcKcheeigUIMecfNqLjRtVUp9sGs.vbe

Filesize
214B

MD5
d2b8c634d59aedcbe2bba990a7e3ce86

SHA1
32e5591d46e65520765fbf7e4c204cc9a2345b55

SHA256
8f63f2cf87891a4fcf31564af3b2b76c8e28e2c0aae723dd3724a5f4e48cc508

SHA512
2858d0659984e01529f6e3f3a1e90893e3c2f745b35961aef8ab0f85edf61f746dff5d2b4733dafd9ffddcdf7f0b87189e7d89d24b3f54ed74afb40ef281cbf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcyIS95rA8.bat

Filesize
209B

MD5
7f3b88e4148c91910d95e05893d3eaa7

SHA1
fd6afd7c87aed3eb0ca9e9cfa2207f1ee524c001

SHA256
28d5e1ff5952d78419019df0dfea0b0d163615ec0c7e6bc945658f61e742187d

SHA512
dc770f72c0cecbfa207b47ccf08f30904f17ebc86c9703c0255d07ddbb899a3cb58b64fe1eda7e4b34fe2f8316d7cb352d89e447a7b71641f4775f216196682a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES45B7.tmp

Filesize
1KB

MD5
855c7148d19f24b55f2e3531fb9f056b

SHA1
50c7c7a09f027e8e58ca45bf6f20a6b130665559

SHA256
90ba67de2b36dce3607828dbe28640f983b0b85fd0af83935ee60b02ed798e25

SHA512
8761b00b39bb42f9b5d6756709241fbb80b8e31dd5a668fec2c50905c2a26323048cdf5de581060a4387488c127978a9b069d0f1cc17e55d188a1bd00e2b3aec

Download Submit
C:\Users\Admin\AppData\Local\Temp\URatn9mGg0.bat

Filesize
209B

MD5
64b07187077cca666105fee5667fc614

SHA1
102815f41282a98f2155e0df4641110eec1c9b2a

SHA256
4f3e2fc870cdca711b865cfe32e2eaf9aef9d8c36da3ef1b34b1ee6b386a9212

SHA512
b49726f5595812550e3edb31ac32b88f14588da31fe654599f8922bcebf24b54a304d0e2512903ac908eaa83d964900f6cdb390db55120430464d1a6c1a028f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7f3d92e5b1a0a34a33e0df5cee0367d3

SHA1
1448b01244eb8d51c3c863433c0483a6a87b7f76

SHA256
aff548c364b159b56dc635ec9cd0610b7d2be191b03cce8bb5bb5487a88d1e09

SHA512
fa44c7adc79ae1230cd92cc2493976e663374baac348a7a444cd9e179b9d4788e42f9a06b5f0797a260d0df1a2abcc2e8b128951015f9507ed32865ffe7b4458

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hebmctok\hebmctok.0.cs

Filesize
415B

MD5
ba093d165b004af7298bdb3aac341a31

SHA1
3c3f3db8ee4bc9a7f7bec80b41611042a9d2f699

SHA256
bc679faa5288d02d3855b5523ced2e2f97d3ffa2eecba51123dfc3962e360a85

SHA512
d2ba6ec406a10270dfc70c6c4d189c16298b85b43e9589364ca01a7455212f2eddf87a719157040686f3e1c2f966ce4043d999455d0e558cc365eb9fdd68b411

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hebmctok\hebmctok.cmdline

Filesize
235B

MD5
dd6cc1d43376658cd509c2f72ba2ae52

SHA1
3a98b2184a21ed120566a49bed183c2667980a70

SHA256
4ecb3cc7c32d22166b87a3feb053245a606fd31afd7d26b38d2d878de5096378

SHA512
a5b7679d138ad1d8596ad7212fc40809eb07517450e64387744498476e495d4e11e085584fbef1326ecc07149d09d2658beabf7b7f6ecd761bb19184e6ca9d81

Download Submit
\??\c:\Windows\System32\CSC774021434688420AA34974B8A373451A.TMP

Filesize
1KB

MD5
078586b266e519b5c113064d7a0bf45c

SHA1
a9395c0ef35add5c75591ebb94c85c1f33f408bf

SHA256
ccf292ff9f142b204ad4f4481a044ba8f9ab274305dcb604bf0b8ae91819ab1e

SHA512
5b8eb6aad62657309088c4668d633c2aa6324d4824ec32c3c5e133df0a5493a4342c980e077ba565f3aab29c58f95c8db7195415a1e554384405c1457730f959

Download Submit
\Componentperf\componentdll.exe

Filesize
1.9MB

MD5
7fd78c3dfb4d897f2e572a89721f272a

SHA1
0bf21b96846c8ba92aaffc8eef868f4ed2d36eb0

SHA256
0b336aaf70796274f51f9ee315077e63433c16a84cedc1a4fe45fc17759d2aca

SHA512
95693f447a4a0e102ad90f1e574ea15ce4279f6bb937cb7ba5fe384ec96a665561f9798c5f85f925c98354fbfaafda7fd099d9a7f4008c3410e23535bc4253cc

Download Submit
memory/1312-63-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2316-64-0x0000000002380000-0x0000000002388000-memory.dmp

Filesize
32KB

Download
memory/2796-15-0x0000000000610000-0x000000000061E000-memory.dmp

Filesize
56KB

Download
memory/2796-25-0x0000000000680000-0x000000000068C000-memory.dmp

Filesize
48KB

Download
memory/2796-23-0x0000000000630000-0x000000000063E000-memory.dmp

Filesize
56KB

Download
memory/2796-21-0x0000000000620000-0x000000000062E000-memory.dmp

Filesize
56KB

Download
memory/2796-19-0x0000000000660000-0x0000000000678000-memory.dmp

Filesize
96KB

Download
memory/2796-17-0x0000000000640000-0x000000000065C000-memory.dmp

Filesize
112KB

Download
memory/2796-13-0x0000000001340000-0x0000000001530000-memory.dmp

Filesize
1.9MB

Download