dcrat | a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473

Resubmissions

09-12-2024 21:16

241209-z4ngfawqcm 10

09-12-2024 15:53

241209-tbtj4asqbx 10

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-12-2024 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473.exe
Size

1.8MB
MD5

4952c912c225b6b8938322dbdd9a9783
SHA1

33317daf672163d262782f65765971b1ae8007b5
SHA256

a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473
SHA512

582d1e2689332ac644954c77a9edc691e6360d4390ccc53bf22d12d77e82ec2ada21204bd006e5092989a9d9cef6a1c956b899110cf652218911f0277b6a997e
SSDEEP

24576:lTbBv5rUKDF1CAWfaC+ZeyMhYVHsVAq7KvsQCvwi5xLoJBLxqaFnvdioFnewSr/3:PBjF1hWYqVjwrCYi7MPhn5n3azk8

Score

10^/10

dcrat discovery execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\include\\win32\\winlogon.exe\", \"C:\\Windows\\Offline Web Pages\\taskhostw.exe\", \"C:\\Windows\\PolicyDefinitions\\ja-JP\\unsecapp.exe\", \"C:\\Componentperf\\componentdll.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\conhost.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\include\\win32\\winlogon.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\include\\win32\\winlogon.exe\", \"C:\\Windows\\Offline Web Pages\\taskhostw.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\include\\win32\\winlogon.exe\", \"C:\\Windows\\Offline Web Pages\\taskhostw.exe\", \"C:\\Windows\\PolicyDefinitions\\ja-JP\\unsecapp.exe\""	componentdll.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	4144	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4136	4144	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	4144	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3712	4144	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	4144	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	4144	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3756	4144	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	4144	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	4144	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	4144	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	4144	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3364	4144	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	4144	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8	4144	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	4144	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	4144	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	4144	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	4144	schtasks.exe	89

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4644	powershell.exe
3888	powershell.exe
4932	powershell.exe
4356	powershell.exe
1300	powershell.exe
4368	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	componentdll.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	componentdll.exe

Executes dropped EXE 3 IoCs

pid	Process
4588	componentdll.exe
932	componentdll.exe
4268	componentdll.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\WindowsRE\\conhost.exe\""	componentdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Java\\jdk-1.8\\include\\win32\\winlogon.exe\""	componentdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\Offline Web Pages\\taskhostw.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\Offline Web Pages\\taskhostw.exe\""	componentdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\componentdll = "\"C:\\Componentperf\\componentdll.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\componentdll = "\"C:\\Componentperf\\componentdll.exe\""	componentdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\WindowsRE\\conhost.exe\""	componentdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller = "\"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller = "\"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Java\\jdk-1.8\\include\\win32\\winlogon.exe\""	componentdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\PolicyDefinitions\\ja-JP\\unsecapp.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\PolicyDefinitions\\ja-JP\\unsecapp.exe\""	componentdll.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC8231572C198434C898747E95584AEE.TMP	csc.exe
File created	\??\c:\Windows\System32\hnaorh.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\include\win32\winlogon.exe	componentdll.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\cc11b995f2a76d	componentdll.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\PolicyDefinitions\ja-JP\unsecapp.exe	componentdll.exe
File opened for modification	C:\Windows\PolicyDefinitions\ja-JP\unsecapp.exe	componentdll.exe
File created	C:\Windows\PolicyDefinitions\ja-JP\29c1c3cc0f7685	componentdll.exe
File created	C:\Windows\Offline Web Pages\taskhostw.exe	componentdll.exe
File created	C:\Windows\Offline Web Pages\ea9f0e6c9e2dcd	componentdll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	componentdll.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	componentdll.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2276	schtasks.exe
2684	schtasks.exe
4580	schtasks.exe
4812	schtasks.exe
2236	schtasks.exe
2460	schtasks.exe
1988	schtasks.exe
3032	schtasks.exe
2568	schtasks.exe
4764	schtasks.exe
636	schtasks.exe
4136	schtasks.exe
3756	schtasks.exe
3364	schtasks.exe
8	schtasks.exe
5000	schtasks.exe
3712	schtasks.exe
2736	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe
4588	componentdll.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4588	componentdll.exe
Token: SeDebugPrivilege	3888	powershell.exe
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeDebugPrivilege	4368	powershell.exe
Token: SeDebugPrivilege	4356	powershell.exe
Token: SeDebugPrivilege	4932	powershell.exe
Token: SeDebugPrivilege	932	componentdll.exe
Token: SeDebugPrivilege	4268	componentdll.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 4984	1048	a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473.exe	83
PID 1048 wrote to memory of 4984	1048	a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473.exe	83
PID 1048 wrote to memory of 4984	1048	a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473.exe	83
PID 4984 wrote to memory of 4476	4984	WScript.exe	97
PID 4984 wrote to memory of 4476	4984	WScript.exe	97
PID 4984 wrote to memory of 4476	4984	WScript.exe	97
PID 4476 wrote to memory of 4588	4476	cmd.exe	99
PID 4476 wrote to memory of 4588	4476	cmd.exe	99
PID 4588 wrote to memory of 876	4588	componentdll.exe	103
PID 4588 wrote to memory of 876	4588	componentdll.exe	103
PID 876 wrote to memory of 3352	876	csc.exe	105
PID 876 wrote to memory of 3352	876	csc.exe	105
PID 4588 wrote to memory of 4644	4588	componentdll.exe	121
PID 4588 wrote to memory of 4644	4588	componentdll.exe	121
PID 4588 wrote to memory of 4368	4588	componentdll.exe	122
PID 4588 wrote to memory of 4368	4588	componentdll.exe	122
PID 4588 wrote to memory of 4356	4588	componentdll.exe	123
PID 4588 wrote to memory of 4356	4588	componentdll.exe	123
PID 4588 wrote to memory of 1300	4588	componentdll.exe	124
PID 4588 wrote to memory of 1300	4588	componentdll.exe	124
PID 4588 wrote to memory of 3888	4588	componentdll.exe	126
PID 4588 wrote to memory of 3888	4588	componentdll.exe	126
PID 4588 wrote to memory of 4932	4588	componentdll.exe	127
PID 4588 wrote to memory of 4932	4588	componentdll.exe	127
PID 4588 wrote to memory of 4540	4588	componentdll.exe	133
PID 4588 wrote to memory of 4540	4588	componentdll.exe	133
PID 4540 wrote to memory of 2164	4540	cmd.exe	135
PID 4540 wrote to memory of 2164	4540	cmd.exe	135
PID 4540 wrote to memory of 2516	4540	cmd.exe	136
PID 4540 wrote to memory of 2516	4540	cmd.exe	136
PID 4540 wrote to memory of 932	4540	cmd.exe	138
PID 4540 wrote to memory of 932	4540	cmd.exe	138
PID 932 wrote to memory of 1628	932	componentdll.exe	145
PID 932 wrote to memory of 1628	932	componentdll.exe	145
PID 1628 wrote to memory of 660	1628	cmd.exe	147
PID 1628 wrote to memory of 660	1628	cmd.exe	147
PID 1628 wrote to memory of 4700	1628	cmd.exe	148
PID 1628 wrote to memory of 4700	1628	cmd.exe	148
PID 1628 wrote to memory of 4268	1628	cmd.exe	150
PID 1628 wrote to memory of 4268	1628	cmd.exe	150

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473.exe
"C:\Users\Admin\AppData\Local\Temp\a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Componentperf\cfktGpUTtRSX2yQKRIoM3JndHvk9YcKcheeigUIMecfNqLjRtVUp9sGs.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Componentperf\SQ9jEh0oYRCdpe0w7L4R7l.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4476
  - - C:\Componentperf\componentdll.exe
      "C:\Componentperf/componentdll.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4588
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\szcej3ja\szcej3ja.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:876
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEDFA.tmp" "c:\Windows\System32\CSC8231572C198434C898747E95584AEE.TMP"
        6⤵
        
        PID:3352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4644
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\TrustedInstaller.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk-1.8\include\win32\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\taskhostw.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1300
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\ja-JP\unsecapp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Componentperf\componentdll.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4932
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o14MeRv1OP.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4540
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2164
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2516
      - C:\Componentperf\componentdll.exe
        
        "C:\Componentperf\componentdll.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\50TwasnRS2.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:660
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:4700
        
        C:\Componentperf\componentdll.exe
        
        "C:\Componentperf\componentdll.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\TrustedInstaller.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jdk-1.8\include\win32\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\include\win32\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jdk-1.8\include\win32\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Windows\Offline Web Pages\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Windows\Offline Web Pages\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Windows\PolicyDefinitions\ja-JP\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\ja-JP\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:8

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Windows\PolicyDefinitions\ja-JP\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "componentdllc" /sc MINUTE /mo 12 /tr "'C:\Componentperf\componentdll.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "componentdll" /sc ONLOGON /tr "'C:\Componentperf\componentdll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "componentdllc" /sc MINUTE /mo 14 /tr "'C:\Componentperf\componentdll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Componentperf\SQ9jEh0oYRCdpe0w7L4R7l.bat

Filesize
94B

MD5
38245dfef92b3892bef514a4f569b043

SHA1
2e96ba9b418200bfb9e33544f3669cf452d27f27

SHA256
86e2a7dce38cdc6eb73f29c05352980861c22db7268140b777b07b21f9f5dd0d

SHA512
2b0dd13c4214e217ded08ec4807bea9a3d70fab80492056ce028db234b5347bc1592025cbf39fca58dfe7aeb72f78493cd137fa658ecf334d84821e47a20724c

Download Submit
C:\Componentperf\cfktGpUTtRSX2yQKRIoM3JndHvk9YcKcheeigUIMecfNqLjRtVUp9sGs.vbe

Filesize
214B

MD5
d2b8c634d59aedcbe2bba990a7e3ce86

SHA1
32e5591d46e65520765fbf7e4c204cc9a2345b55

SHA256
8f63f2cf87891a4fcf31564af3b2b76c8e28e2c0aae723dd3724a5f4e48cc508

SHA512
2858d0659984e01529f6e3f3a1e90893e3c2f745b35961aef8ab0f85edf61f746dff5d2b4733dafd9ffddcdf7f0b87189e7d89d24b3f54ed74afb40ef281cbf0

Download Submit
C:\Componentperf\componentdll.exe

Filesize
1.9MB

MD5
7fd78c3dfb4d897f2e572a89721f272a

SHA1
0bf21b96846c8ba92aaffc8eef868f4ed2d36eb0

SHA256
0b336aaf70796274f51f9ee315077e63433c16a84cedc1a4fe45fc17759d2aca

SHA512
95693f447a4a0e102ad90f1e574ea15ce4279f6bb937cb7ba5fe384ec96a665561f9798c5f85f925c98354fbfaafda7fd099d9a7f4008c3410e23535bc4253cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\componentdll.exe.log

Filesize
1KB

MD5
af6acd95d59de87c04642509c30e81c1

SHA1
f9549ae93fdb0a5861a79a08f60aa81c4b32377b

SHA256
7521ee2d065a78efcab55a194fbd78492f84b70595f139263875f4ea92b194d6

SHA512
93ab99bcf588fde553de3240e0d2b0cbd4e4bc5ef5e99d53f45a267d7ff30103a80b5a7aa1c52d6eff1e070af0ec82d2c0b8aafb7099742aa16810edc1815c3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\50TwasnRS2.bat

Filesize
209B

MD5
646db107f988c6230dd8af84f0d30b9b

SHA1
309ef0324de8e62b02d9855851bc0d90ec60be02

SHA256
0768ba522af8000d7c773f335663d97fd27797e11253404ec584500d2bdf38db

SHA512
63aa4edd96943b7b555b4b0ba670db4f45987b93c6273e6b0091ba7a1149aa5030e273f06b560c6194b287362b6d0939fa9267cdd53d3f37c90cf4da9ab2bb7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEDFA.tmp

Filesize
1KB

MD5
76579e0420759508d072d1825208655e

SHA1
6b71e3137f5450f122b95ad99eaa49dca4d743d6

SHA256
43f84125ff842f767b980d445cd691d49da913f66da6155d36d4eed07ae52bae

SHA512
db6cb1a3d87249a9267666a20a6b0a34a115253bb4bebe4796952ed1755e82f366c71a46691e85bb773bb748b12c6660f11c26cdc86323d11a24c8775e636643

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sa0viofm.2pv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\o14MeRv1OP.bat

Filesize
209B

MD5
44675cc69bbffccb96f8f0d612c96030

SHA1
cbe0c6fa3898670eabeacc1958c5aae618c462ce

SHA256
d92f64d74a29a999341b4ea140001f666fa4adce0cedf8aed949a545eec2afc9

SHA512
fcb8fe0c9887662f4d3b7ce1f1da349b045e917566f4c9dca54761ce40b1bcf231da643bfcb73d8cd15fa37f2002f6c08e84dc1b391553f7d610b6504192db96

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\szcej3ja\szcej3ja.0.cs

Filesize
365B

MD5
2220211826fc88b4aecf58956f19c297

SHA1
82d8e2d4f1ae4dacbd1233f5d78a0af612a4c72b

SHA256
d523db18bdcba3e64cc6ad454e99806a0e33d787e6889a3c775b3d5137318b4d

SHA512
b72a950933b8bc59258d828cb1bc5d2c4fbabff13882938f6ae13094a4d505ecd5c637c8b14ecb256fb91f872842dae2846251be6f52d894925370ddb8fadd67

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\szcej3ja\szcej3ja.cmdline

Filesize
235B

MD5
7762589e4ece7d643f1113fe4578159a

SHA1
e0cc67c8cc982bf1035059ba8e974e0680cc1417

SHA256
f6cb8e7a01cf5ee573b8fb2bf049a691016735ddb2f78ddebdfdcf03f1e1beea

SHA512
c98ba86701623ba3ab8f6d44eacbec25d91b78d4d30b6b9135793f2bbaf30a8757531ecca98a7d3689417372104d783ebab2874a7a4ba7d04f85422613783d98

Download Submit
\??\c:\Windows\System32\CSC8231572C198434C898747E95584AEE.TMP

Filesize
1KB

MD5
65d5babddb4bd68783c40f9e3678613f

SHA1
71e76abb44dbea735b9faaccb8c0fad345b514f4

SHA256
d61a59849cacd91b8039a8e41a5b92a7f93e2d46c90791b9ba6b5f856008cd8f

SHA512
21223e9a32df265bb75093d1ebaa879880a947d25ac764f3452b9104893b05f2c8fe4150cb2465681df7a0554dcefdb7f623aaf54772ade878270f453ebc1bcf

Download Submit
memory/932-120-0x000000001C210000-0x000000001C2B9000-memory.dmp

Filesize
676KB

Download
memory/932-130-0x000000001C210000-0x000000001C2B9000-memory.dmp

Filesize
676KB

Download
memory/3888-70-0x000001EA7B810000-0x000001EA7B832000-memory.dmp

Filesize
136KB

Download
memory/4268-139-0x000000001B3B0000-0x000000001B459000-memory.dmp

Filesize
676KB

Download
memory/4588-18-0x000000001B3A0000-0x000000001B3F0000-memory.dmp

Filesize
320KB

Download
memory/4588-20-0x000000001B350000-0x000000001B368000-memory.dmp

Filesize
96KB

Download
memory/4588-26-0x000000001B230000-0x000000001B23C000-memory.dmp

Filesize
48KB

Download
memory/4588-17-0x000000001B210000-0x000000001B22C000-memory.dmp

Filesize
112KB

Download
memory/4588-15-0x0000000002800000-0x000000000280E000-memory.dmp

Filesize
56KB

Download
memory/4588-13-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/4588-22-0x000000001B1F0000-0x000000001B1FE000-memory.dmp

Filesize
56KB

Download
memory/4588-24-0x000000001B200000-0x000000001B20E000-memory.dmp

Filesize
56KB

Download
memory/4588-12-0x00007FFC4A703000-0x00007FFC4A705000-memory.dmp

Filesize
8KB

Download
memory/4588-79-0x000000001B890000-0x000000001B939000-memory.dmp

Filesize
676KB

Download