dcrat | 87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b

Analysis

max time kernel
117s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-12-2024 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6706364c78566c589c6c45217e852b02.exe
Size

1.9MB
MD5

6706364c78566c589c6c45217e852b02
SHA1

e0bc8a67a91d5ea42c072e63f36f4993d9620c2d
SHA256

87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b
SHA512

3aed779886dcb08bac7eda66cf4b4adbcf420ac0dfc702ef645f231cc40f0801cd16b35cafb12dc5b7125c237df65df091366c884ce20158447752507e1023f7
SSDEEP

49152:JV9LiEUzT6V+qiRGVcqb++v8PlPwvwOfPGZyM1b2DAWsM:JnezTGriRRq3vGNCJfPOy4b

Score

10^/10

dcrat execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\audiodg.exe\""	6706364c78566c589c6c45217e852b02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\audiodg.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\System.exe\""	6706364c78566c589c6c45217e852b02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\audiodg.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\System.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\6706364c78566c589c6c45217e852b02.exe\""	6706364c78566c589c6c45217e852b02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\audiodg.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\System.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\6706364c78566c589c6c45217e852b02.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dwm.exe\""	6706364c78566c589c6c45217e852b02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\audiodg.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\System.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\6706364c78566c589c6c45217e852b02.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dwm.exe\", \"C:\\Users\\Default\\NetHood\\dllhost.exe\""	6706364c78566c589c6c45217e852b02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\audiodg.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\System.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\6706364c78566c589c6c45217e852b02.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dwm.exe\", \"C:\\Users\\Default\\NetHood\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\6706364c78566c589c6c45217e852b02.exe\""	6706364c78566c589c6c45217e852b02.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2732	schtasks.exe	30

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2920	powershell.exe
1868	powershell.exe
2480	powershell.exe
2472	powershell.exe
2120	powershell.exe
2128	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2564	System.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\VideoLAN\\VLC\\audiodg.exe\""	6706364c78566c589c6c45217e852b02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\VideoLAN\\VLC\\audiodg.exe\""	6706364c78566c589c6c45217e852b02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\System.exe\""	6706364c78566c589c6c45217e852b02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\System.exe\""	6706364c78566c589c6c45217e852b02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dwm.exe\""	6706364c78566c589c6c45217e852b02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6706364c78566c589c6c45217e852b02 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\6706364c78566c589c6c45217e852b02.exe\""	6706364c78566c589c6c45217e852b02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\6706364c78566c589c6c45217e852b02 = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\6706364c78566c589c6c45217e852b02.exe\""	6706364c78566c589c6c45217e852b02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6706364c78566c589c6c45217e852b02 = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\6706364c78566c589c6c45217e852b02.exe\""	6706364c78566c589c6c45217e852b02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dwm.exe\""	6706364c78566c589c6c45217e852b02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Default\\NetHood\\dllhost.exe\""	6706364c78566c589c6c45217e852b02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Default\\NetHood\\dllhost.exe\""	6706364c78566c589c6c45217e852b02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\6706364c78566c589c6c45217e852b02 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\6706364c78566c589c6c45217e852b02.exe\""	6706364c78566c589c6c45217e852b02.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCFCE0F2247E9F4478A535FA74DFB1D454.TMP	csc.exe
File created	\??\c:\Windows\System32\byyuy-.exe	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\6706364c78566c589c6c45217e852b02.exe	6706364c78566c589c6c45217e852b02.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\27efd3ff5e29fa	6706364c78566c589c6c45217e852b02.exe
File created	C:\Program Files\VideoLAN\VLC\audiodg.exe	6706364c78566c589c6c45217e852b02.exe
File created	C:\Program Files\VideoLAN\VLC\42af1c969fbb7b	6706364c78566c589c6c45217e852b02.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2612	schtasks.exe
3028	schtasks.exe
1240	schtasks.exe
2364	schtasks.exe
1188	schtasks.exe
1040	schtasks.exe
2056	schtasks.exe
2416	schtasks.exe
3000	schtasks.exe
2876	schtasks.exe
2268	schtasks.exe
3060	schtasks.exe
2028	schtasks.exe
556	schtasks.exe
2356	schtasks.exe
1896	schtasks.exe
1680	schtasks.exe
1788	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe
2936	6706364c78566c589c6c45217e852b02.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2936	6706364c78566c589c6c45217e852b02.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	2564	System.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2836	2936	6706364c78566c589c6c45217e852b02.exe	34
PID 2936 wrote to memory of 2836	2936	6706364c78566c589c6c45217e852b02.exe	34
PID 2936 wrote to memory of 2836	2936	6706364c78566c589c6c45217e852b02.exe	34
PID 2836 wrote to memory of 2620	2836	csc.exe	37
PID 2836 wrote to memory of 2620	2836	csc.exe	37
PID 2836 wrote to memory of 2620	2836	csc.exe	37
PID 2936 wrote to memory of 2128	2936	6706364c78566c589c6c45217e852b02.exe	53
PID 2936 wrote to memory of 2128	2936	6706364c78566c589c6c45217e852b02.exe	53
PID 2936 wrote to memory of 2128	2936	6706364c78566c589c6c45217e852b02.exe	53
PID 2936 wrote to memory of 2920	2936	6706364c78566c589c6c45217e852b02.exe	54
PID 2936 wrote to memory of 2920	2936	6706364c78566c589c6c45217e852b02.exe	54
PID 2936 wrote to memory of 2920	2936	6706364c78566c589c6c45217e852b02.exe	54
PID 2936 wrote to memory of 1868	2936	6706364c78566c589c6c45217e852b02.exe	55
PID 2936 wrote to memory of 1868	2936	6706364c78566c589c6c45217e852b02.exe	55
PID 2936 wrote to memory of 1868	2936	6706364c78566c589c6c45217e852b02.exe	55
PID 2936 wrote to memory of 2480	2936	6706364c78566c589c6c45217e852b02.exe	56
PID 2936 wrote to memory of 2480	2936	6706364c78566c589c6c45217e852b02.exe	56
PID 2936 wrote to memory of 2480	2936	6706364c78566c589c6c45217e852b02.exe	56
PID 2936 wrote to memory of 2472	2936	6706364c78566c589c6c45217e852b02.exe	57
PID 2936 wrote to memory of 2472	2936	6706364c78566c589c6c45217e852b02.exe	57
PID 2936 wrote to memory of 2472	2936	6706364c78566c589c6c45217e852b02.exe	57
PID 2936 wrote to memory of 2120	2936	6706364c78566c589c6c45217e852b02.exe	58
PID 2936 wrote to memory of 2120	2936	6706364c78566c589c6c45217e852b02.exe	58
PID 2936 wrote to memory of 2120	2936	6706364c78566c589c6c45217e852b02.exe	58
PID 2936 wrote to memory of 2692	2936	6706364c78566c589c6c45217e852b02.exe	64
PID 2936 wrote to memory of 2692	2936	6706364c78566c589c6c45217e852b02.exe	64
PID 2936 wrote to memory of 2692	2936	6706364c78566c589c6c45217e852b02.exe	64
PID 2692 wrote to memory of 2284	2692	cmd.exe	67
PID 2692 wrote to memory of 2284	2692	cmd.exe	67
PID 2692 wrote to memory of 2284	2692	cmd.exe	67
PID 2692 wrote to memory of 2280	2692	cmd.exe	68
PID 2692 wrote to memory of 2280	2692	cmd.exe	68
PID 2692 wrote to memory of 2280	2692	cmd.exe	68
PID 2692 wrote to memory of 2564	2692	cmd.exe	69
PID 2692 wrote to memory of 2564	2692	cmd.exe	69
PID 2692 wrote to memory of 2564	2692	cmd.exe	69

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6706364c78566c589c6c45217e852b02.exe
"C:\Users\Admin\AppData\Local\Temp\6706364c78566c589c6c45217e852b02.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ukzq2li1\ukzq2li1.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD96E.tmp" "c:\Windows\System32\CSCFCE0F2247E9F4478A535FA74DFB1D454.TMP"
    3⤵
    PID:2620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\6706364c78566c589c6c45217e852b02.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\NetHood\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\6706364c78566c589c6c45217e852b02.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2120
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kcvqYzbhiG.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2284
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2280
- - C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\System.exe
    "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\System.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6706364c78566c589c6c45217e852b026" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\6706364c78566c589c6c45217e852b02.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6706364c78566c589c6c45217e852b02" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\6706364c78566c589c6c45217e852b02.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6706364c78566c589c6c45217e852b026" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\6706364c78566c589c6c45217e852b02.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Default\NetHood\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\NetHood\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default\NetHood\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6706364c78566c589c6c45217e852b026" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\6706364c78566c589c6c45217e852b02.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6706364c78566c589c6c45217e852b02" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\6706364c78566c589c6c45217e852b02.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6706364c78566c589c6c45217e852b026" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\6706364c78566c589c6c45217e852b02.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\VideoLAN\VLC\audiodg.exe

Filesize
1.9MB

MD5
6706364c78566c589c6c45217e852b02

SHA1
e0bc8a67a91d5ea42c072e63f36f4993d9620c2d

SHA256
87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b

SHA512
3aed779886dcb08bac7eda66cf4b4adbcf420ac0dfc702ef645f231cc40f0801cd16b35cafb12dc5b7125c237df65df091366c884ce20158447752507e1023f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD96E.tmp

Filesize
1KB

MD5
3df4dc9f2aefe6f911d9886bc7cd926a

SHA1
461b7b91e114ab069653716ae85347b86642210c

SHA256
d1904eb773dba9f4280ca07ec73c9addfb6d791bebc6e0d734eff170dd4a8def

SHA512
1d0f3b5dd2cf53afab71be7aa12fa10735703077f440907ddbed8582d5ef18e74c19f8ecfdde4ff2501ec2763b05f751411982b57f262b575e1f3b4566025310

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcvqYzbhiG.bat

Filesize
235B

MD5
59bee871e271717518d1c913fa0d5419

SHA1
dd8b033303f62db4f63791cc112a37116acee565

SHA256
f7780d5e66fac14a278ff19929c010b1461f7ee261ece57a0a6c22b7aeb6b36a

SHA512
4c9d886d90763c9e33bc4ac0ef7ef7b181a1e634f66a2ab25bbde2279fd2e2c50c552cd10a47c0ccb9d24f35208e17be13da90478d72f85e1487874f2c8effbb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
09af201e8bab4773953e6ee454d259df

SHA1
d6bda38d425f1b429868ded8e371371870c893b6

SHA256
6448d0af25b1bdffaa549d8913e2853a6d9338e0d12808d39c379d0561f4ce46

SHA512
e0d71aba821762a133d39324128f5af5fb61cff9b4d2cc0cba40812ea5f3d2e10f99661d4d56cdc2a8bbaf58f359565f9ff70f7005dc8cf93c293642f56aded1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ukzq2li1\ukzq2li1.0.cs

Filesize
373B

MD5
878305d7b206074937f71e7aabcbaff3

SHA1
8b7610566204de4f8ce7ff7a528d0102aae6761a

SHA256
67740ab465f0106776db810ea66a9c8ffa4adb252999998a7269d45b2f3c6a25

SHA512
ac852e1502151e8db4cf8370455ba77e312f55fd6f73813ba79ef5d9659ca9cdf9e21976f956817d7a721e1967f893a2faad66046862fca86f04ff3161c2b4f5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ukzq2li1\ukzq2li1.cmdline

Filesize
235B

MD5
2af474c1f7ad929731e8216880998f20

SHA1
ca4291c5afea5fa6ab22a91113fe83b2b64ba0d9

SHA256
d672ad5969441450f0dfc9d5dff2f2056b0cbb6e8238085278965c048406a413

SHA512
fac73f4398d64407474131f7b9471491528963076bbdb3b189cdd7b3a62d5d10527f2e975969ebab86e3cf6e4715f8e2757ae5ff5b192307db01da7f338b3f1a

Download Submit
\??\c:\Windows\System32\CSCFCE0F2247E9F4478A535FA74DFB1D454.TMP

Filesize
1KB

MD5
078586b266e519b5c113064d7a0bf45c

SHA1
a9395c0ef35add5c75591ebb94c85c1f33f408bf

SHA256
ccf292ff9f142b204ad4f4481a044ba8f9ab274305dcb604bf0b8ae91819ab1e

SHA512
5b8eb6aad62657309088c4668d633c2aa6324d4824ec32c3c5e133df0a5493a4342c980e077ba565f3aab29c58f95c8db7195415a1e554384405c1457730f959

Download Submit
memory/1868-69-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2564-84-0x0000000000C20000-0x0000000000E06000-memory.dmp

Filesize
1.9MB

Download
memory/2920-64-0x000000001B7F0000-0x000000001BAD2000-memory.dmp

Filesize
2.9MB

Download
memory/2936-36-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

Filesize
9.9MB

Download
memory/2936-13-0x0000000000570000-0x0000000000588000-memory.dmp

Filesize
96KB

Download
memory/2936-37-0x000007FEF5B83000-0x000007FEF5B84000-memory.dmp

Filesize
4KB

Download
memory/2936-8-0x0000000000300000-0x000000000030E000-memory.dmp

Filesize
56KB

Download
memory/2936-2-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

Filesize
9.9MB

Download
memory/2936-10-0x0000000000540000-0x000000000055C000-memory.dmp

Filesize
112KB

Download
memory/2936-5-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

Filesize
9.9MB

Download
memory/2936-11-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

Filesize
9.9MB

Download
memory/2936-1-0x0000000000B60000-0x0000000000D46000-memory.dmp

Filesize
1.9MB

Download
memory/2936-17-0x0000000000530000-0x000000000053C000-memory.dmp

Filesize
48KB

Download
memory/2936-3-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

Filesize
9.9MB

Download
memory/2936-0-0x000007FEF5B83000-0x000007FEF5B84000-memory.dmp

Filesize
4KB

Download
memory/2936-6-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

Filesize
9.9MB

Download
memory/2936-15-0x0000000000520000-0x000000000052E000-memory.dmp

Filesize
56KB

Download
memory/2936-4-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

Filesize
9.9MB

Download
memory/2936-18-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

Filesize
9.9MB

Download
memory/2936-81-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

Filesize
9.9MB

Download
memory/2936-35-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

Filesize
9.9MB

Download