dcrat | 9035fcba668617e1471b67b0b5d95ea2582828243ab923dd2c423e667dbd629d

Analysis

max time kernel
117s
max time network
143s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09-12-2024 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9035fcba668617e1471b67b0b5d95ea2582828243ab923dd2c423e667dbd629d.exe
Size

1.9MB
MD5

f0760ed8625ee03218d3064f83594c03
SHA1

07c653bb3ca05ac4e208f689abc2e0652e8614aa
SHA256

9035fcba668617e1471b67b0b5d95ea2582828243ab923dd2c423e667dbd629d
SHA512

3047e0053a2bf8871f796b3218dd1982adef3b9cffbb90d18cebfda18ad56faef00af34371c7ff9d1c9e84cf92dc220548f801d814625e082e40f4b8fd79746e
SSDEEP

49152:OB8c5eSHkidcRnl0jHWuN2op5tUaqNCAM:QH3k0snDCgNCAM

Score

10^/10

dcrat discovery execution infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2572	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2572	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	2572	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2572	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2572	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2572	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2572	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2572	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2572	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	2572	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2572	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	2572	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2572	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2572	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	2572	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2572	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2572	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2572	schtasks.exe	34

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1056	powershell.exe
1624	powershell.exe
1924	powershell.exe
2408	powershell.exe
296	powershell.exe
1772	powershell.exe
1548	powershell.exe
1900	powershell.exe
2060	powershell.exe
2976	powershell.exe
1708	powershell.exe
2536	powershell.exe
2304	powershell.exe
1736	powershell.exe
3000	powershell.exe
664	powershell.exe
944	powershell.exe
1732	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2792	WinRAR.exe
3052	taskhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1920	cmd.exe
1920	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ipinfo.io
5	ipinfo.io

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\6cb0b6c459d5d3	WinRAR.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\lsass.exe	WinRAR.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\6203df4a6bafc7	WinRAR.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\Idle.exe	WinRAR.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\6ccacd8608530f	WinRAR.exe
File created	C:\Program Files\Microsoft Office\dwm.exe	WinRAR.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Logs\DISM\sppsvc.exe	WinRAR.exe
File opened for modification	C:\Windows\Logs\DISM\sppsvc.exe	WinRAR.exe
File created	C:\Windows\Logs\DISM\0a1fd5f707cd16	WinRAR.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9035fcba668617e1471b67b0b5d95ea2582828243ab923dd2c423e667dbd629d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	WinRAR.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	WinRAR.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1880	schtasks.exe
2988	schtasks.exe
2396	schtasks.exe
2900	schtasks.exe
2876	schtasks.exe
1740	schtasks.exe
1896	schtasks.exe
3044	schtasks.exe
2452	schtasks.exe
2736	schtasks.exe
2836	schtasks.exe
624	schtasks.exe
1884	schtasks.exe
2368	schtasks.exe
2072	schtasks.exe
1964	schtasks.exe
980	schtasks.exe
2516	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe
2792	WinRAR.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2792	WinRAR.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	664	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	296	powershell.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	3052	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 2472	2492	9035fcba668617e1471b67b0b5d95ea2582828243ab923dd2c423e667dbd629d.exe	30
PID 2492 wrote to memory of 2472	2492	9035fcba668617e1471b67b0b5d95ea2582828243ab923dd2c423e667dbd629d.exe	30
PID 2492 wrote to memory of 2472	2492	9035fcba668617e1471b67b0b5d95ea2582828243ab923dd2c423e667dbd629d.exe	30
PID 2492 wrote to memory of 2472	2492	9035fcba668617e1471b67b0b5d95ea2582828243ab923dd2c423e667dbd629d.exe	30
PID 2472 wrote to memory of 1920	2472	WScript.exe	31
PID 2472 wrote to memory of 1920	2472	WScript.exe	31
PID 2472 wrote to memory of 1920	2472	WScript.exe	31
PID 2472 wrote to memory of 1920	2472	WScript.exe	31
PID 1920 wrote to memory of 2792	1920	cmd.exe	33
PID 1920 wrote to memory of 2792	1920	cmd.exe	33
PID 1920 wrote to memory of 2792	1920	cmd.exe	33
PID 1920 wrote to memory of 2792	1920	cmd.exe	33
PID 2792 wrote to memory of 2304	2792	WinRAR.exe	53
PID 2792 wrote to memory of 2304	2792	WinRAR.exe	53
PID 2792 wrote to memory of 2304	2792	WinRAR.exe	53
PID 2792 wrote to memory of 296	2792	WinRAR.exe	54
PID 2792 wrote to memory of 296	2792	WinRAR.exe	54
PID 2792 wrote to memory of 296	2792	WinRAR.exe	54
PID 2792 wrote to memory of 2408	2792	WinRAR.exe	55
PID 2792 wrote to memory of 2408	2792	WinRAR.exe	55
PID 2792 wrote to memory of 2408	2792	WinRAR.exe	55
PID 2792 wrote to memory of 2060	2792	WinRAR.exe	56
PID 2792 wrote to memory of 2060	2792	WinRAR.exe	56
PID 2792 wrote to memory of 2060	2792	WinRAR.exe	56
PID 2792 wrote to memory of 1924	2792	WinRAR.exe	57
PID 2792 wrote to memory of 1924	2792	WinRAR.exe	57
PID 2792 wrote to memory of 1924	2792	WinRAR.exe	57
PID 2792 wrote to memory of 2536	2792	WinRAR.exe	58
PID 2792 wrote to memory of 2536	2792	WinRAR.exe	58
PID 2792 wrote to memory of 2536	2792	WinRAR.exe	58
PID 2792 wrote to memory of 1624	2792	WinRAR.exe	60
PID 2792 wrote to memory of 1624	2792	WinRAR.exe	60
PID 2792 wrote to memory of 1624	2792	WinRAR.exe	60
PID 2792 wrote to memory of 1900	2792	WinRAR.exe	61
PID 2792 wrote to memory of 1900	2792	WinRAR.exe	61
PID 2792 wrote to memory of 1900	2792	WinRAR.exe	61
PID 2792 wrote to memory of 1548	2792	WinRAR.exe	63
PID 2792 wrote to memory of 1548	2792	WinRAR.exe	63
PID 2792 wrote to memory of 1548	2792	WinRAR.exe	63
PID 2792 wrote to memory of 1732	2792	WinRAR.exe	65
PID 2792 wrote to memory of 1732	2792	WinRAR.exe	65
PID 2792 wrote to memory of 1732	2792	WinRAR.exe	65
PID 2792 wrote to memory of 944	2792	WinRAR.exe	67
PID 2792 wrote to memory of 944	2792	WinRAR.exe	67
PID 2792 wrote to memory of 944	2792	WinRAR.exe	67
PID 2792 wrote to memory of 664	2792	WinRAR.exe	70
PID 2792 wrote to memory of 664	2792	WinRAR.exe	70
PID 2792 wrote to memory of 664	2792	WinRAR.exe	70
PID 2792 wrote to memory of 1056	2792	WinRAR.exe	72
PID 2792 wrote to memory of 1056	2792	WinRAR.exe	72
PID 2792 wrote to memory of 1056	2792	WinRAR.exe	72
PID 2792 wrote to memory of 3000	2792	WinRAR.exe	73
PID 2792 wrote to memory of 3000	2792	WinRAR.exe	73
PID 2792 wrote to memory of 3000	2792	WinRAR.exe	73
PID 2792 wrote to memory of 1772	2792	WinRAR.exe	74
PID 2792 wrote to memory of 1772	2792	WinRAR.exe	74
PID 2792 wrote to memory of 1772	2792	WinRAR.exe	74
PID 2792 wrote to memory of 1708	2792	WinRAR.exe	76
PID 2792 wrote to memory of 1708	2792	WinRAR.exe	76
PID 2792 wrote to memory of 1708	2792	WinRAR.exe	76
PID 2792 wrote to memory of 2976	2792	WinRAR.exe	77
PID 2792 wrote to memory of 2976	2792	WinRAR.exe	77
PID 2792 wrote to memory of 2976	2792	WinRAR.exe	77
PID 2792 wrote to memory of 1736	2792	WinRAR.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9035fcba668617e1471b67b0b5d95ea2582828243ab923dd2c423e667dbd629d.exe
"C:\Users\Admin\AppData\Local\Temp\9035fcba668617e1471b67b0b5d95ea2582828243ab923dd2c423e667dbd629d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\chrome_BITS_11056_1885616804\winrar-x64-701\QfVXG2q6DfaUiSMJ.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\chrome_BITS_11056_1885616804\winrar-x64-701\vrb9dR4dg8Y2QFcBzx1PxO83yV.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1920
  - - C:\Users\Admin\AppData\Local\Temp\chrome_BITS_11056_1885616804\winrar-x64-701\WinRAR.exe
      "C:\Users\Admin\AppData\Local\Temp\chrome_BITS_11056_1885616804/winrar-x64-701/WinRAR.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:296
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\es-ES\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\DISM\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\chrome_BITS_11056_1885616804\winrar-x64-701\WinRAR.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kBMUTqVuEM.bat"
        5⤵
        
        PID:304
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:352
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1740
      - C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\Logs\DISM\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Logs\DISM\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\Logs\DISM\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WinRARW" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\chrome_BITS_11056_1885616804\winrar-x64-701\WinRAR.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WinRAR" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\chrome_BITS_11056_1885616804\winrar-x64-701\WinRAR.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WinRARW" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\chrome_BITS_11056_1885616804\winrar-x64-701\WinRAR.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\chrome_BITS_11056_1885616804\winrar-x64-701\QfVXG2q6DfaUiSMJ.vbe

Filesize
251B

MD5
af5a30d028d6a5e7d188ff3b979e8566

SHA1
e76317932d35a4428738912c5b1107af501f4b03

SHA256
1f6f643b2402635cc0cad80bbf2b6ee77da35af77dfb4890687d676affa13eac

SHA512
f1d66bf2dc43b63815e7e86529d402ebf15553f406edde9a3e22f1493b68636b0237ddd92d8e93820a82c7031ca420cd088d397de10adb5f5830bb3f64bafa53

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_BITS_11056_1885616804\winrar-x64-701\vrb9dR4dg8Y2QFcBzx1PxO83yV.bat

Filesize
117B

MD5
38c9a9b2baa13052d877a46df02f565a

SHA1
9c777107eaac4b39d50347e3757c384b338ad7eb

SHA256
95b80502d9e6d30a2a34b6958bb18cba07f6c8a117ba71eee88df97b91ab4d18

SHA512
f2e35fc451e1702735dbc5effec881b23d094772c34026982201281500392e5092e57c8531018e482d4dc838b1674f43a7a3712f66b376c5bb1c2807ee7c120a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kBMUTqVuEM.bat

Filesize
237B

MD5
7b61e73ecd6e3acfc0209d184b85b6a8

SHA1
fa26c881af003a885ed31a3f6e83969ce4d7b546

SHA256
6449afa1607a9a8ae4f46bd90b6fec65dcd2c29505cd4c4f9fb413515f5ed32d

SHA512
6b83625a7e35c4992d11effd07d7f4bf5bfa98bca9a134ff7371e5146dc51db3fd2b8e9f196aa0372e3adc9933b13ac9897aede94e06e44525539a14b92b7f2e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a817bc1d296edc2411d2b0651ad3bd33

SHA1
6d830cf518a1280c0d5a93214a3e19a46ce06a4c

SHA256
a643fd675b7f542e283361c2ce25b972311bd9580932deabe1a448bc486b3dbd

SHA512
dc60161217f5e95432684f380c1ef951774404f54073d3c014a0e246fd327a663449e42672e9aa6bbe11f0316e11b6bc643a5854d38e422f03c0e80a303dc728

Download Submit
memory/1732-133-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/1732-132-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2792-17-0x0000000000440000-0x000000000045C000-memory.dmp

Filesize
112KB

Download
memory/2792-23-0x0000000000420000-0x000000000042C000-memory.dmp

Filesize
48KB

Download
memory/2792-25-0x0000000000430000-0x000000000043E000-memory.dmp

Filesize
56KB

Download
memory/2792-27-0x00000000004A0000-0x00000000004A8000-memory.dmp

Filesize
32KB

Download
memory/2792-29-0x00000000004B0000-0x00000000004BC000-memory.dmp

Filesize
48KB

Download
memory/2792-21-0x0000000000480000-0x0000000000492000-memory.dmp

Filesize
72KB

Download
memory/2792-19-0x0000000000460000-0x0000000000478000-memory.dmp

Filesize
96KB

Download
memory/2792-15-0x0000000000410000-0x000000000041E000-memory.dmp

Filesize
56KB

Download
memory/2792-13-0x0000000000A60000-0x0000000000C60000-memory.dmp

Filesize
2.0MB

Download
memory/3052-136-0x00000000012B0000-0x00000000014B0000-memory.dmp

Filesize
2.0MB

Download