dcrat | a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473

Resubmissions

09-12-2024 21:16

241209-z4ngfawqcm 10

09-12-2024 15:53

241209-tbtj4asqbx 10

Analysis

max time kernel
117s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-12-2024 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473.exe
Size

1.8MB
MD5

4952c912c225b6b8938322dbdd9a9783
SHA1

33317daf672163d262782f65765971b1ae8007b5
SHA256

a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473
SHA512

582d1e2689332ac644954c77a9edc691e6360d4390ccc53bf22d12d77e82ec2ada21204bd006e5092989a9d9cef6a1c956b899110cf652218911f0277b6a997e
SSDEEP

24576:lTbBv5rUKDF1CAWfaC+ZeyMhYVHsVAq7KvsQCvwi5xLoJBLxqaFnvdioFnewSr/3:PBjF1hWYqVjwrCYi7MPhn5n3azk8

Score

10^/10

dcrat discovery execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\lsass.exe\", \"C:\\Componentperf\\smss.exe\", \"C:\\Program Files\\Microsoft Games\\Minesweeper\\es-ES\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\dwm.exe\", \"C:\\Componentperf\\componentdll.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\lsass.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\lsass.exe\", \"C:\\Componentperf\\smss.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\lsass.exe\", \"C:\\Componentperf\\smss.exe\", \"C:\\Program Files\\Microsoft Games\\Minesweeper\\es-ES\\spoolsv.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\lsass.exe\", \"C:\\Componentperf\\smss.exe\", \"C:\\Program Files\\Microsoft Games\\Minesweeper\\es-ES\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\dwm.exe\""	componentdll.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2916	schtasks.exe	34

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2732	powershell.exe
2520	powershell.exe
984	powershell.exe
1316	powershell.exe
1608	powershell.exe
1988	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2724	componentdll.exe
2516	sppsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2576	cmd.exe
2576	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\dwm.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\dwm.exe\""	componentdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\componentdll = "\"C:\\Componentperf\\componentdll.exe\""	componentdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows Portable Devices\\lsass.exe\""	componentdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Componentperf\\smss.exe\""	componentdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Microsoft Games\\Minesweeper\\es-ES\\spoolsv.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Microsoft Games\\Minesweeper\\es-ES\\spoolsv.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\componentdll = "\"C:\\Componentperf\\componentdll.exe\""	componentdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default User\\sppsvc.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default User\\sppsvc.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows Portable Devices\\lsass.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Componentperf\\smss.exe\""	componentdll.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCD87146DDDE2A4EA8BC6A9DAEDF816E63.TMP	csc.exe
File created	\??\c:\Windows\System32\byyuy-.exe	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Games\Minesweeper\es-ES\spoolsv.exe	componentdll.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\es-ES\f3b6ecef712a24	componentdll.exe
File created	C:\Program Files (x86)\Windows Portable Devices\lsass.exe	componentdll.exe
File created	C:\Program Files (x86)\Windows Portable Devices\6203df4a6bafc7	componentdll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2328	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2328	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1636	schtasks.exe
2268	schtasks.exe
1004	schtasks.exe
2112	schtasks.exe
1932	schtasks.exe
2420	schtasks.exe
1640	schtasks.exe
2168	schtasks.exe
2364	schtasks.exe
2828	schtasks.exe
2876	schtasks.exe
588	schtasks.exe
2964	schtasks.exe
840	schtasks.exe
2256	schtasks.exe
2648	schtasks.exe
1700	schtasks.exe
1956	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe
2724	componentdll.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	componentdll.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	984	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2516	sppsvc.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2804	2424	a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473.exe	30
PID 2424 wrote to memory of 2804	2424	a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473.exe	30
PID 2424 wrote to memory of 2804	2424	a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473.exe	30
PID 2424 wrote to memory of 2804	2424	a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473.exe	30
PID 2804 wrote to memory of 2576	2804	WScript.exe	31
PID 2804 wrote to memory of 2576	2804	WScript.exe	31
PID 2804 wrote to memory of 2576	2804	WScript.exe	31
PID 2804 wrote to memory of 2576	2804	WScript.exe	31
PID 2576 wrote to memory of 2724	2576	cmd.exe	33
PID 2576 wrote to memory of 2724	2576	cmd.exe	33
PID 2576 wrote to memory of 2724	2576	cmd.exe	33
PID 2576 wrote to memory of 2724	2576	cmd.exe	33
PID 2724 wrote to memory of 1408	2724	componentdll.exe	38
PID 2724 wrote to memory of 1408	2724	componentdll.exe	38
PID 2724 wrote to memory of 1408	2724	componentdll.exe	38
PID 1408 wrote to memory of 1496	1408	csc.exe	40
PID 1408 wrote to memory of 1496	1408	csc.exe	40
PID 1408 wrote to memory of 1496	1408	csc.exe	40
PID 2724 wrote to memory of 984	2724	componentdll.exe	56
PID 2724 wrote to memory of 984	2724	componentdll.exe	56
PID 2724 wrote to memory of 984	2724	componentdll.exe	56
PID 2724 wrote to memory of 1316	2724	componentdll.exe	57
PID 2724 wrote to memory of 1316	2724	componentdll.exe	57
PID 2724 wrote to memory of 1316	2724	componentdll.exe	57
PID 2724 wrote to memory of 1608	2724	componentdll.exe	58
PID 2724 wrote to memory of 1608	2724	componentdll.exe	58
PID 2724 wrote to memory of 1608	2724	componentdll.exe	58
PID 2724 wrote to memory of 1988	2724	componentdll.exe	59
PID 2724 wrote to memory of 1988	2724	componentdll.exe	59
PID 2724 wrote to memory of 1988	2724	componentdll.exe	59
PID 2724 wrote to memory of 2732	2724	componentdll.exe	60
PID 2724 wrote to memory of 2732	2724	componentdll.exe	60
PID 2724 wrote to memory of 2732	2724	componentdll.exe	60
PID 2724 wrote to memory of 2520	2724	componentdll.exe	61
PID 2724 wrote to memory of 2520	2724	componentdll.exe	61
PID 2724 wrote to memory of 2520	2724	componentdll.exe	61
PID 2724 wrote to memory of 1772	2724	componentdll.exe	68
PID 2724 wrote to memory of 1772	2724	componentdll.exe	68
PID 2724 wrote to memory of 1772	2724	componentdll.exe	68
PID 1772 wrote to memory of 616	1772	cmd.exe	70
PID 1772 wrote to memory of 616	1772	cmd.exe	70
PID 1772 wrote to memory of 616	1772	cmd.exe	70
PID 1772 wrote to memory of 2328	1772	cmd.exe	71
PID 1772 wrote to memory of 2328	1772	cmd.exe	71
PID 1772 wrote to memory of 2328	1772	cmd.exe	71
PID 1772 wrote to memory of 2516	1772	cmd.exe	72
PID 1772 wrote to memory of 2516	1772	cmd.exe	72
PID 1772 wrote to memory of 2516	1772	cmd.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473.exe
"C:\Users\Admin\AppData\Local\Temp\a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Componentperf\cfktGpUTtRSX2yQKRIoM3JndHvk9YcKcheeigUIMecfNqLjRtVUp9sGs.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Componentperf\SQ9jEh0oYRCdpe0w7L4R7l.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Componentperf\componentdll.exe
      "C:\Componentperf/componentdll.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qya2d1wl\qya2d1wl.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1408
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A97.tmp" "c:\Windows\System32\CSCD87146DDDE2A4EA8BC6A9DAEDF816E63.TMP"
        6⤵
        
        PID:1496
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Componentperf\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Minesweeper\es-ES\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Componentperf\componentdll.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hPYHGwrpS8.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1772
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:616
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2328
      - C:\Users\Default User\sppsvc.exe
        
        "C:\Users\Default User\sppsvc.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Componentperf\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Componentperf\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Componentperf\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Games\Minesweeper\es-ES\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Minesweeper\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Games\Minesweeper\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "componentdllc" /sc MINUTE /mo 10 /tr "'C:\Componentperf\componentdll.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "componentdll" /sc ONLOGON /tr "'C:\Componentperf\componentdll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "componentdllc" /sc MINUTE /mo 9 /tr "'C:\Componentperf\componentdll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Componentperf\SQ9jEh0oYRCdpe0w7L4R7l.bat

Filesize
94B

MD5
38245dfef92b3892bef514a4f569b043

SHA1
2e96ba9b418200bfb9e33544f3669cf452d27f27

SHA256
86e2a7dce38cdc6eb73f29c05352980861c22db7268140b777b07b21f9f5dd0d

SHA512
2b0dd13c4214e217ded08ec4807bea9a3d70fab80492056ce028db234b5347bc1592025cbf39fca58dfe7aeb72f78493cd137fa658ecf334d84821e47a20724c

Download Submit
C:\Componentperf\cfktGpUTtRSX2yQKRIoM3JndHvk9YcKcheeigUIMecfNqLjRtVUp9sGs.vbe

Filesize
214B

MD5
d2b8c634d59aedcbe2bba990a7e3ce86

SHA1
32e5591d46e65520765fbf7e4c204cc9a2345b55

SHA256
8f63f2cf87891a4fcf31564af3b2b76c8e28e2c0aae723dd3724a5f4e48cc508

SHA512
2858d0659984e01529f6e3f3a1e90893e3c2f745b35961aef8ab0f85edf61f746dff5d2b4733dafd9ffddcdf7f0b87189e7d89d24b3f54ed74afb40ef281cbf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4A97.tmp

Filesize
1KB

MD5
97b55831018b1e6b75c2a3ba5b120453

SHA1
d3952795ad07a054f74ad04092eb2aa863c5e5bf

SHA256
d83f91bce76c34ec288cf79286775a5c66f3c2865ef5ab8bc170d768af23876b

SHA512
b62fe9b8b4bf4692a429e3763206e8afe7af632f34fe360b1b8f5cac5fe7625651a40df1fecea2fd24c3658081f517b55e2142065f8cdc980bdd05e1e92ec2d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hPYHGwrpS8.bat

Filesize
160B

MD5
f02542e5bf0cd7032653db3fa34f22d6

SHA1
b41eff83cb7a57994e4937f8f76297080bbf45d8

SHA256
d46361d43b67185827b6d0d85f3815be9de6d17e5e1390c9c3bee233422cf759

SHA512
6b1dada8876737b4e0f251f2f29995f3ecf49442671f2fd174d1874928c36c9bcd802fc6f709b993c25131a097977da2fc3c42857831acd301d895506cd4d219

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5ecdc837e375caaed244c8c6da814205

SHA1
5ee4522246ae6556effb964a95d02a4bfe26fa0b

SHA256
cdd4f47a476d2b204df13c51f4cd4b1eca973a0938cf0f4888d61804b034858d

SHA512
37ed3966900a6df54da2a9e5ca070104ba6be302b3844bf5cf052bd2a02e429eae18389810291481ba6e3ea474ce237028eb6cce39f364a59f81fb1527d9140f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qya2d1wl\qya2d1wl.0.cs

Filesize
364B

MD5
4c2223634f01a8d928f51e8d0537e0c1

SHA1
b46d840640ff7e613d6d4037efbab62d9ab9567a

SHA256
0ea85d6630c29d4e6ba2d6418316266c6418f4f3b8cf7c43d0ee64216a7e1111

SHA512
55025b929b7178a7ba0ebd87882aa1c6194718971f88b0e8521b24629f1fa231cb904f3d3b951ec839ed762bdfed623d715243c5724007965ccad467018da770

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qya2d1wl\qya2d1wl.cmdline

Filesize
235B

MD5
df38dc726c22cc11b7295f2512522819

SHA1
e3ae85d0b1692ec4f8785e168845c6975efc8e92

SHA256
be3f68fe24e9239557cbc3aedaf0d2f7f2289edc466a648e265eb40e4c9b1a52

SHA512
c79dde21ad474d92a53a3e94a6aaf7f78c7f726a924233671bbb9cc911437b4e172a2432903a0a56d3aa95858291f4ee4c55a1fc7d32ced12d2627ee7974b778

Download Submit
\??\c:\Windows\System32\CSCD87146DDDE2A4EA8BC6A9DAEDF816E63.TMP

Filesize
1KB

MD5
078586b266e519b5c113064d7a0bf45c

SHA1
a9395c0ef35add5c75591ebb94c85c1f33f408bf

SHA256
ccf292ff9f142b204ad4f4481a044ba8f9ab274305dcb604bf0b8ae91819ab1e

SHA512
5b8eb6aad62657309088c4668d633c2aa6324d4824ec32c3c5e133df0a5493a4342c980e077ba565f3aab29c58f95c8db7195415a1e554384405c1457730f959

Download Submit
\Componentperf\componentdll.exe

Filesize
1.9MB

MD5
7fd78c3dfb4d897f2e572a89721f272a

SHA1
0bf21b96846c8ba92aaffc8eef868f4ed2d36eb0

SHA256
0b336aaf70796274f51f9ee315077e63433c16a84cedc1a4fe45fc17759d2aca

SHA512
95693f447a4a0e102ad90f1e574ea15ce4279f6bb937cb7ba5fe384ec96a665561f9798c5f85f925c98354fbfaafda7fd099d9a7f4008c3410e23535bc4253cc

Download Submit
memory/1316-68-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/1316-80-0x0000000002220000-0x0000000002228000-memory.dmp

Filesize
32KB

Download
memory/2516-87-0x0000000000130000-0x0000000000320000-memory.dmp

Filesize
1.9MB

Download
memory/2724-15-0x0000000000470000-0x000000000047E000-memory.dmp

Filesize
56KB

Download
memory/2724-25-0x00000000004D0000-0x00000000004DC000-memory.dmp

Filesize
48KB

Download
memory/2724-23-0x00000000004A0000-0x00000000004AE000-memory.dmp

Filesize
56KB

Download
memory/2724-21-0x0000000000490000-0x000000000049E000-memory.dmp

Filesize
56KB

Download
memory/2724-19-0x0000000000660000-0x0000000000678000-memory.dmp

Filesize
96KB

Download
memory/2724-17-0x00000000004B0000-0x00000000004CC000-memory.dmp

Filesize
112KB

Download
memory/2724-13-0x0000000000020000-0x0000000000210000-memory.dmp

Filesize
1.9MB

Download