dcrat | a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473

Resubmissions

09-12-2024 21:16

241209-z4ngfawqcm 10

09-12-2024 15:53

241209-tbtj4asqbx 10

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-12-2024 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473.exe
Size

1.8MB
MD5

4952c912c225b6b8938322dbdd9a9783
SHA1

33317daf672163d262782f65765971b1ae8007b5
SHA256

a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473
SHA512

582d1e2689332ac644954c77a9edc691e6360d4390ccc53bf22d12d77e82ec2ada21204bd006e5092989a9d9cef6a1c956b899110cf652218911f0277b6a997e
SSDEEP

24576:lTbBv5rUKDF1CAWfaC+ZeyMhYVHsVAq7KvsQCvwi5xLoJBLxqaFnvdioFnewSr/3:PBjF1hWYqVjwrCYi7MPhn5n3azk8

Score

10^/10

dcrat discovery execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Web\\Wallpaper\\Theme1\\dwm.exe\", \"C:\\Program Files\\Windows Mail\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\WaaSMedicAgent.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\smss.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Web\\Wallpaper\\Theme1\\dwm.exe\", \"C:\\Program Files\\Windows Mail\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\WaaSMedicAgent.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\smss.exe\", \"C:\\Windows\\addins\\wininit.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Web\\Wallpaper\\Theme1\\dwm.exe\", \"C:\\Program Files\\Windows Mail\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\WaaSMedicAgent.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\smss.exe\", \"C:\\Windows\\addins\\wininit.exe\", \"C:\\Componentperf\\componentdll.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Web\\Wallpaper\\Theme1\\dwm.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Web\\Wallpaper\\Theme1\\dwm.exe\", \"C:\\Program Files\\Windows Mail\\wininit.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Web\\Wallpaper\\Theme1\\dwm.exe\", \"C:\\Program Files\\Windows Mail\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\WaaSMedicAgent.exe\""	componentdll.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4200	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3900	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3200	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	516	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3460	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	3412	schtasks.exe	86

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3488	powershell.exe
4132	powershell.exe
4172	powershell.exe
3764	powershell.exe
3880	powershell.exe
3168	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	componentdll.exe

Executes dropped EXE 2 IoCs

pid	Process
1748	componentdll.exe
720	wininit.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Web\\Wallpaper\\Theme1\\dwm.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Admin\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\smss.exe\""	componentdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\addins\\wininit.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\addins\\wininit.exe\""	componentdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\componentdll = "\"C:\\Componentperf\\componentdll.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\componentdll = "\"C:\\Componentperf\\componentdll.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Web\\Wallpaper\\Theme1\\dwm.exe\""	componentdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Mail\\wininit.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Mail\\wininit.exe\""	componentdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Recovery\\WindowsRE\\WaaSMedicAgent.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Recovery\\WindowsRE\\WaaSMedicAgent.exe\""	componentdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Admin\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\smss.exe\""	componentdll.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC744313A332944A82A3A2408A5B3836D3.TMP	csc.exe
File created	\??\c:\Windows\System32\enb1sa.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\wininit.exe	componentdll.exe
File created	C:\Program Files\Windows Mail\56085415360792	componentdll.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\addins\wininit.exe	componentdll.exe
File created	C:\Windows\addins\56085415360792	componentdll.exe
File created	C:\Windows\Web\Wallpaper\Theme1\dwm.exe	componentdll.exe
File created	C:\Windows\Web\Wallpaper\Theme1\6cb0b6c459d5d3	componentdll.exe
File created	C:\Windows\addins\wininit.exe	componentdll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	componentdll.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3068	schtasks.exe
456	schtasks.exe
4452	schtasks.exe
5084	schtasks.exe
1380	schtasks.exe
4200	schtasks.exe
3900	schtasks.exe
1688	schtasks.exe
516	schtasks.exe
4540	schtasks.exe
3460	schtasks.exe
2516	schtasks.exe
4112	schtasks.exe
2572	schtasks.exe
3200	schtasks.exe
1272	schtasks.exe
1612	schtasks.exe
1796	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe
1748	componentdll.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
720	wininit.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1748	componentdll.exe
Token: SeDebugPrivilege	3880	powershell.exe
Token: SeDebugPrivilege	3764	powershell.exe
Token: SeDebugPrivilege	3488	powershell.exe
Token: SeDebugPrivilege	4172	powershell.exe
Token: SeDebugPrivilege	3168	powershell.exe
Token: SeDebugPrivilege	4132	powershell.exe
Token: SeDebugPrivilege	720	wininit.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 3824 wrote to memory of 3444	3824	a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473.exe	82
PID 3824 wrote to memory of 3444	3824	a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473.exe	82
PID 3824 wrote to memory of 3444	3824	a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473.exe	82
PID 3444 wrote to memory of 1492	3444	WScript.exe	90
PID 3444 wrote to memory of 1492	3444	WScript.exe	90
PID 3444 wrote to memory of 1492	3444	WScript.exe	90
PID 1492 wrote to memory of 1748	1492	cmd.exe	92
PID 1492 wrote to memory of 1748	1492	cmd.exe	92
PID 1748 wrote to memory of 3704	1748	componentdll.exe	96
PID 1748 wrote to memory of 3704	1748	componentdll.exe	96
PID 3704 wrote to memory of 4156	3704	csc.exe	98
PID 3704 wrote to memory of 4156	3704	csc.exe	98
PID 1748 wrote to memory of 4132	1748	componentdll.exe	114
PID 1748 wrote to memory of 4132	1748	componentdll.exe	114
PID 1748 wrote to memory of 3488	1748	componentdll.exe	115
PID 1748 wrote to memory of 3488	1748	componentdll.exe	115
PID 1748 wrote to memory of 3168	1748	componentdll.exe	116
PID 1748 wrote to memory of 3168	1748	componentdll.exe	116
PID 1748 wrote to memory of 3880	1748	componentdll.exe	117
PID 1748 wrote to memory of 3880	1748	componentdll.exe	117
PID 1748 wrote to memory of 4172	1748	componentdll.exe	118
PID 1748 wrote to memory of 4172	1748	componentdll.exe	118
PID 1748 wrote to memory of 3764	1748	componentdll.exe	119
PID 1748 wrote to memory of 3764	1748	componentdll.exe	119
PID 1748 wrote to memory of 4920	1748	componentdll.exe	125
PID 1748 wrote to memory of 4920	1748	componentdll.exe	125
PID 4920 wrote to memory of 3636	4920	cmd.exe	128
PID 4920 wrote to memory of 3636	4920	cmd.exe	128
PID 4920 wrote to memory of 3984	4920	cmd.exe	129
PID 4920 wrote to memory of 3984	4920	cmd.exe	129
PID 4920 wrote to memory of 720	4920	cmd.exe	130
PID 4920 wrote to memory of 720	4920	cmd.exe	130

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473.exe
"C:\Users\Admin\AppData\Local\Temp\a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3824
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Componentperf\cfktGpUTtRSX2yQKRIoM3JndHvk9YcKcheeigUIMecfNqLjRtVUp9sGs.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Componentperf\SQ9jEh0oYRCdpe0w7L4R7l.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - C:\Componentperf\componentdll.exe
      "C:\Componentperf/componentdll.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1748
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2eqeysvx\2eqeysvx.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3704
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF0A9.tmp" "c:\Windows\System32\CSC744313A332944A82A3A2408A5B3836D3.TMP"
        6⤵
        
        PID:4156
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Wallpaper\Theme1\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4132
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3168
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4172
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Componentperf\componentdll.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3764
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZEiTd4loQ5.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4920
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3636
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3984
      - C:\Program Files\Windows Mail\wininit.exe
        
        "C:\Program Files\Windows Mail\wininit.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\Web\Wallpaper\Theme1\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Theme1\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\Web\Wallpaper\Theme1\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\addins\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\addins\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\addins\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "componentdllc" /sc MINUTE /mo 13 /tr "'C:\Componentperf\componentdll.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "componentdll" /sc ONLOGON /tr "'C:\Componentperf\componentdll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "componentdllc" /sc MINUTE /mo 11 /tr "'C:\Componentperf\componentdll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Componentperf\SQ9jEh0oYRCdpe0w7L4R7l.bat

Filesize
94B

MD5
38245dfef92b3892bef514a4f569b043

SHA1
2e96ba9b418200bfb9e33544f3669cf452d27f27

SHA256
86e2a7dce38cdc6eb73f29c05352980861c22db7268140b777b07b21f9f5dd0d

SHA512
2b0dd13c4214e217ded08ec4807bea9a3d70fab80492056ce028db234b5347bc1592025cbf39fca58dfe7aeb72f78493cd137fa658ecf334d84821e47a20724c

Download Submit
C:\Componentperf\cfktGpUTtRSX2yQKRIoM3JndHvk9YcKcheeigUIMecfNqLjRtVUp9sGs.vbe

Filesize
214B

MD5
d2b8c634d59aedcbe2bba990a7e3ce86

SHA1
32e5591d46e65520765fbf7e4c204cc9a2345b55

SHA256
8f63f2cf87891a4fcf31564af3b2b76c8e28e2c0aae723dd3724a5f4e48cc508

SHA512
2858d0659984e01529f6e3f3a1e90893e3c2f745b35961aef8ab0f85edf61f746dff5d2b4733dafd9ffddcdf7f0b87189e7d89d24b3f54ed74afb40ef281cbf0

Download Submit
C:\Componentperf\componentdll.exe

Filesize
1.9MB

MD5
7fd78c3dfb4d897f2e572a89721f272a

SHA1
0bf21b96846c8ba92aaffc8eef868f4ed2d36eb0

SHA256
0b336aaf70796274f51f9ee315077e63433c16a84cedc1a4fe45fc17759d2aca

SHA512
95693f447a4a0e102ad90f1e574ea15ce4279f6bb937cb7ba5fe384ec96a665561f9798c5f85f925c98354fbfaafda7fd099d9a7f4008c3410e23535bc4253cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
a43e653ffb5ab07940f4bdd9cc8fade4

SHA1
af43d04e3427f111b22dc891c5c7ee8a10ac4123

SHA256
c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

SHA512
62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF0A9.tmp

Filesize
1KB

MD5
da5e10087cc14c37389ddba7a9500bcc

SHA1
74f1614ccd9eb54ad637c7f274c546abd072d254

SHA256
3c5e667bed3b01a1ba01c44218de16ad7a5dc406bdad7c7c127462c7420bd62e

SHA512
6b5bb0bd904901929c1d057c1615b553a126091355d2d18047660d03f7af57bf3a6e8ae48af7560137d7f1767b678c5113ca5b8bb5726c9fcdbb320e9114d652

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZEiTd4loQ5.bat

Filesize
217B

MD5
18225458ea4d28beddd44afbf98d3de3

SHA1
e6a6fa98e72687863d0f1b48079f7f141c83d345

SHA256
42ca61823f253f4754f4fe1cc1fd9b993ce9d1fdb2be9d926749e162d57ba902

SHA512
3e0a2f6fa96c4fab29a7d2af50f1b890defb316372de4b605bfe143ff15b1fcfd9e7c0d4c60a2dabac38509d297fddf37c4bad91896bde8292f0adf4e8bb65ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qzxqsyyz.hnp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2eqeysvx\2eqeysvx.0.cs

Filesize
371B

MD5
c89ed623be1d29d431dba2ac1b121601

SHA1
9d81d38c2372420ff2b28879e6a73552b830cbe3

SHA256
6bea3091e3dbbc6a673eb555621929793d3a64be74ab8b61410257ba7980be6a

SHA512
76e0df123284d1bff4c987ae93c508778d315f63d034365d2f6e0966917baabf6c57b39dce5a97a3e3fc0f4e38ec1c2f70b39f53d4c1e8cffc8a4f64f17cb241

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2eqeysvx\2eqeysvx.cmdline

Filesize
235B

MD5
f0c814c3c8e9e106047cb1721c54f393

SHA1
86720ed417db4abcdf42aec433372e7188247919

SHA256
641b77b8bbd17c5e8b7f7cddd9bff78060762fcecff6ad0b3e2b8c5ec1c50cfd

SHA512
7cd9002bc43356732f48911a50fc26d83c91750dc1a36e43795171ba80aa5b7134a55b15689670b477a943b91b92560830ffe5ec93186f9439d154196889362b

Download Submit
\??\c:\Windows\System32\CSC744313A332944A82A3A2408A5B3836D3.TMP

Filesize
1KB

MD5
5984679060d0fc54eba47cead995f65a

SHA1
f72bbbba060ac80ac6abedc7b8679e8963f63ebf

SHA256
4104fdf5499f0aa7dd161568257acae002620ec385f2ede2072d4f550ecff433

SHA512
bc8aadfabe5dbb4e3ea5e07a5ccbddd363400005675acda3e9cb414dc75fb0ba74f41b4a6baf34d42f85a9ae0af7d2418420c78b0c643f7243fe93a49b8140b5

Download Submit
memory/1748-15-0x0000000002EB0000-0x0000000002EBE000-memory.dmp

Filesize
56KB

Download
memory/1748-26-0x000000001BA30000-0x000000001BA3C000-memory.dmp

Filesize
48KB

Download
memory/1748-24-0x000000001BA00000-0x000000001BA0E000-memory.dmp

Filesize
56KB

Download
memory/1748-22-0x000000001B9F0000-0x000000001B9FE000-memory.dmp

Filesize
56KB

Download
memory/1748-20-0x000000001BA50000-0x000000001BA68000-memory.dmp

Filesize
96KB

Download
memory/1748-18-0x000000001BDB0000-0x000000001BE00000-memory.dmp

Filesize
320KB

Download
memory/1748-17-0x000000001BA10000-0x000000001BA2C000-memory.dmp

Filesize
112KB

Download
memory/1748-13-0x0000000000BF0000-0x0000000000DE0000-memory.dmp

Filesize
1.9MB

Download
memory/1748-12-0x00007FF8141D3000-0x00007FF8141D5000-memory.dmp

Filesize
8KB

Download
memory/3880-64-0x000001A7F7B50000-0x000001A7F7B72000-memory.dmp

Filesize
136KB

Download