dcrat | 87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b

Analysis

max time kernel
119s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-12-2024 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6706364c78566c589c6c45217e852b02.exe
Size

1.9MB
MD5

6706364c78566c589c6c45217e852b02
SHA1

e0bc8a67a91d5ea42c072e63f36f4993d9620c2d
SHA256

87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b
SHA512

3aed779886dcb08bac7eda66cf4b4adbcf420ac0dfc702ef645f231cc40f0801cd16b35cafb12dc5b7125c237df65df091366c884ce20158447752507e1023f7
SSDEEP

49152:JV9LiEUzT6V+qiRGVcqb++v8PlPwvwOfPGZyM1b2DAWsM:JnezTGriRRq3vGNCJfPOy4b

Score

10^/10

dcrat discovery execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\sppsvc.exe\", \"C:\\Windows\\Speech\\lsass.exe\""	6706364c78566c589c6c45217e852b02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\sppsvc.exe\", \"C:\\Windows\\Speech\\lsass.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\audiodg.exe\""	6706364c78566c589c6c45217e852b02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\sppsvc.exe\", \"C:\\Windows\\Speech\\lsass.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\audiodg.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\6706364c78566c589c6c45217e852b02.exe\""	6706364c78566c589c6c45217e852b02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\csrss.exe\""	6706364c78566c589c6c45217e852b02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\winlogon.exe\""	6706364c78566c589c6c45217e852b02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\sppsvc.exe\""	6706364c78566c589c6c45217e852b02.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	1828	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	1828	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	1828	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	1828	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	1828	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	1828	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	1828	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	1828	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	1828	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	1828	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	1828	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	1828	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	1828	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	1828	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	1828	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	1828	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	1828	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	1828	schtasks.exe	30

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2140	powershell.exe
2288	powershell.exe
1956	powershell.exe
640	powershell.exe
2468	powershell.exe
2484	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1612	winlogon.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\6706364c78566c589c6c45217e852b02 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\6706364c78566c589c6c45217e852b02.exe\""	6706364c78566c589c6c45217e852b02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6706364c78566c589c6c45217e852b02 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\6706364c78566c589c6c45217e852b02.exe\""	6706364c78566c589c6c45217e852b02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\csrss.exe\""	6706364c78566c589c6c45217e852b02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\winlogon.exe\""	6706364c78566c589c6c45217e852b02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Public\\Pictures\\Sample Pictures\\sppsvc.exe\""	6706364c78566c589c6c45217e852b02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\Speech\\lsass.exe\""	6706364c78566c589c6c45217e852b02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\audiodg.exe\""	6706364c78566c589c6c45217e852b02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\csrss.exe\""	6706364c78566c589c6c45217e852b02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\winlogon.exe\""	6706364c78566c589c6c45217e852b02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Public\\Pictures\\Sample Pictures\\sppsvc.exe\""	6706364c78566c589c6c45217e852b02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\Speech\\lsass.exe\""	6706364c78566c589c6c45217e852b02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\audiodg.exe\""	6706364c78566c589c6c45217e852b02.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC7401EE3BD4B461E9C3C3A5FF6957D50.TMP	csc.exe
File created	\??\c:\Windows\System32\gxbog2.exe	csc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Speech\lsass.exe	6706364c78566c589c6c45217e852b02.exe
File created	C:\Windows\Speech\6203df4a6bafc7	6706364c78566c589c6c45217e852b02.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2096	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2096	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2072	schtasks.exe
2608	schtasks.exe
1696	schtasks.exe
2316	schtasks.exe
1924	schtasks.exe
592	schtasks.exe
2324	schtasks.exe
3012	schtasks.exe
1952	schtasks.exe
816	schtasks.exe
2160	schtasks.exe
2200	schtasks.exe
1412	schtasks.exe
952	schtasks.exe
3016	schtasks.exe
2976	schtasks.exe
2580	schtasks.exe
2936	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe
2892	6706364c78566c589c6c45217e852b02.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2892	6706364c78566c589c6c45217e852b02.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	640	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	1612	winlogon.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 576	2892	6706364c78566c589c6c45217e852b02.exe	34
PID 2892 wrote to memory of 576	2892	6706364c78566c589c6c45217e852b02.exe	34
PID 2892 wrote to memory of 576	2892	6706364c78566c589c6c45217e852b02.exe	34
PID 576 wrote to memory of 1872	576	csc.exe	36
PID 576 wrote to memory of 1872	576	csc.exe	36
PID 576 wrote to memory of 1872	576	csc.exe	36
PID 2892 wrote to memory of 640	2892	6706364c78566c589c6c45217e852b02.exe	52
PID 2892 wrote to memory of 640	2892	6706364c78566c589c6c45217e852b02.exe	52
PID 2892 wrote to memory of 640	2892	6706364c78566c589c6c45217e852b02.exe	52
PID 2892 wrote to memory of 1956	2892	6706364c78566c589c6c45217e852b02.exe	53
PID 2892 wrote to memory of 1956	2892	6706364c78566c589c6c45217e852b02.exe	53
PID 2892 wrote to memory of 1956	2892	6706364c78566c589c6c45217e852b02.exe	53
PID 2892 wrote to memory of 2288	2892	6706364c78566c589c6c45217e852b02.exe	55
PID 2892 wrote to memory of 2288	2892	6706364c78566c589c6c45217e852b02.exe	55
PID 2892 wrote to memory of 2288	2892	6706364c78566c589c6c45217e852b02.exe	55
PID 2892 wrote to memory of 2140	2892	6706364c78566c589c6c45217e852b02.exe	56
PID 2892 wrote to memory of 2140	2892	6706364c78566c589c6c45217e852b02.exe	56
PID 2892 wrote to memory of 2140	2892	6706364c78566c589c6c45217e852b02.exe	56
PID 2892 wrote to memory of 2484	2892	6706364c78566c589c6c45217e852b02.exe	57
PID 2892 wrote to memory of 2484	2892	6706364c78566c589c6c45217e852b02.exe	57
PID 2892 wrote to memory of 2484	2892	6706364c78566c589c6c45217e852b02.exe	57
PID 2892 wrote to memory of 2468	2892	6706364c78566c589c6c45217e852b02.exe	58
PID 2892 wrote to memory of 2468	2892	6706364c78566c589c6c45217e852b02.exe	58
PID 2892 wrote to memory of 2468	2892	6706364c78566c589c6c45217e852b02.exe	58
PID 2892 wrote to memory of 1648	2892	6706364c78566c589c6c45217e852b02.exe	64
PID 2892 wrote to memory of 1648	2892	6706364c78566c589c6c45217e852b02.exe	64
PID 2892 wrote to memory of 1648	2892	6706364c78566c589c6c45217e852b02.exe	64
PID 1648 wrote to memory of 2544	1648	cmd.exe	66
PID 1648 wrote to memory of 2544	1648	cmd.exe	66
PID 1648 wrote to memory of 2544	1648	cmd.exe	66
PID 1648 wrote to memory of 2096	1648	cmd.exe	67
PID 1648 wrote to memory of 2096	1648	cmd.exe	67
PID 1648 wrote to memory of 2096	1648	cmd.exe	67
PID 1648 wrote to memory of 1612	1648	cmd.exe	68
PID 1648 wrote to memory of 1612	1648	cmd.exe	68
PID 1648 wrote to memory of 1612	1648	cmd.exe	68

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6706364c78566c589c6c45217e852b02.exe
"C:\Users\Admin\AppData\Local\Temp\6706364c78566c589c6c45217e852b02.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ufy1nhth\ufy1nhth.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:576
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6A28.tmp" "c:\Windows\System32\CSC7401EE3BD4B461E9C3C3A5FF6957D50.TMP"
    3⤵
    PID:1872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\6706364c78566c589c6c45217e852b02.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2468
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fAy65PXYIO.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2544
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2096
- - C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe
    "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\Sample Pictures\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\Sample Pictures\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\Speech\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Speech\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\Speech\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6706364c78566c589c6c45217e852b026" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\6706364c78566c589c6c45217e852b02.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6706364c78566c589c6c45217e852b02" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\6706364c78566c589c6c45217e852b02.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6706364c78566c589c6c45217e852b026" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\6706364c78566c589c6c45217e852b02.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe

Filesize
1.9MB

MD5
6706364c78566c589c6c45217e852b02

SHA1
e0bc8a67a91d5ea42c072e63f36f4993d9620c2d

SHA256
87fa5d0d7912d7a1295e7d585f41797bc5c76a5ea7d9d7b362fcc20472715f9b

SHA512
3aed779886dcb08bac7eda66cf4b4adbcf420ac0dfc702ef645f231cc40f0801cd16b35cafb12dc5b7125c237df65df091366c884ce20158447752507e1023f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6A28.tmp

Filesize
1KB

MD5
0df138d44db6b83a8f442515576c004c

SHA1
4a9e535d5ae30f4c29b50279c410d0f4c0e3e30a

SHA256
c34c883998af3300c2a43eb7d49ce45d006032c456c8bc19ec60b62c0b17938b

SHA512
4ea5f3a0b7fcf95b6035e42c5f6597bdb99686b98fb36f2e7763d8ee0bfa25c0e6dc4e183e50beb0b82a06cf6da403a5f4765c13d96d7193e8723baacdef0c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\fAy65PXYIO.bat

Filesize
203B

MD5
26bafa87190ab33ec252fef446d76fd2

SHA1
9d8e90f48bbc1d245ee21f098d61ed3b7b74853f

SHA256
1d7f702b8f108531503c853d050fa072e8fb7fad8ee0ddecffd55bbc2b2d67a8

SHA512
84f7f9747a577d9ca6d637a30fe3b1a872ff1b72fcda1c220eaac1858c5c574cf0b5bc694bfdb7a15bf0c3caf39adcc61edd8aed4669a15f30405548ae58ec8d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c5f9855dd0b283a9abefb163b7b9a22e

SHA1
f034560abea977ae8526424d2bb2315ec72eef1b

SHA256
58d4c56552330f8079718ceb66ea7f9716668728025fffb9b40d50265330e682

SHA512
88cd7764b6a992b445ff4da80463207ad125e1aca53548d9f855efc4fae0cd8b4f6dd6d60ee7c1087f2049e6a0b932115a1b1fc527c802d0b6e3e4fe43c7f7e0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ufy1nhth\ufy1nhth.0.cs

Filesize
390B

MD5
8163d6dcb766845eb5e244f4e06c3a05

SHA1
5bb432eb90ffe7e3f6a1038267cea57564019a5b

SHA256
6b867399145f8e14dce8a9d6559dc817dc17bfbd8aca8574bcb2dcc7d6d0fb9d

SHA512
e2f25cd6a554a6162a93e7d3ead04fadfdab50adf8c3131b7040e84ef076da15dadb9011fc70726833f7271e31684768e37777b9f0d955957fc596796eb39016

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ufy1nhth\ufy1nhth.cmdline

Filesize
235B

MD5
25a2221416e5a29a9a9417bd21ee8563

SHA1
8131eaceb867dcf486dafb789a18723239c8674f

SHA256
a7a8c6dea25d7986bb782391148f6b7b307f9b3df89cd9e5ba314e1ddf83b2f6

SHA512
71e30e7de0216f2b68471597ecbc131ba8b92a8de054bcad0cd58bcd2ba2cffec73c1ca092e1afbd2d8f3f3e9413a0519d93f186da942dd300f53406ab3b618d

Download Submit
\??\c:\Windows\System32\CSC7401EE3BD4B461E9C3C3A5FF6957D50.TMP

Filesize
1KB

MD5
dbb2cd021b80875d9c777c705ef845c8

SHA1
3ed0cde3b4f4d8267c3cddd37dd4ede100b5ecce

SHA256
a4d8c8c391bc1975510bdea24653db0f578d998dead4ce7f8a85eb8fbb3ec829

SHA512
a8076e4d1b1641e189d2066050809ce0cce557e23c110fba77c2cfb7448b5915252b2e2f4d3443f708941277b947b951cfba6c191980a09b8c7710589c766c8e

Download Submit
memory/1612-83-0x0000000000310000-0x00000000004F6000-memory.dmp

Filesize
1.9MB

Download
memory/1956-72-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/2140-78-0x0000000001D10000-0x0000000001D18000-memory.dmp

Filesize
32KB

Download
memory/2892-7-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

Filesize
9.9MB

Download
memory/2892-10-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

Filesize
9.9MB

Download
memory/2892-17-0x0000000000410000-0x000000000041C000-memory.dmp

Filesize
48KB

Download
memory/2892-15-0x0000000000200000-0x000000000020E000-memory.dmp

Filesize
56KB

Download
memory/2892-21-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

Filesize
9.9MB

Download
memory/2892-9-0x00000000004B0000-0x00000000004CC000-memory.dmp

Filesize
112KB

Download
memory/2892-18-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

Filesize
9.9MB

Download
memory/2892-12-0x00000000006D0000-0x00000000006E8000-memory.dmp

Filesize
96KB

Download
memory/2892-13-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

Filesize
9.9MB

Download
memory/2892-19-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

Filesize
9.9MB

Download
memory/2892-0-0x000007FEF5143000-0x000007FEF5144000-memory.dmp

Filesize
4KB

Download
memory/2892-6-0x00000000001F0000-0x00000000001FE000-memory.dmp

Filesize
56KB

Download
memory/2892-4-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

Filesize
9.9MB

Download
memory/2892-3-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

Filesize
9.9MB

Download
memory/2892-2-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

Filesize
9.9MB

Download
memory/2892-80-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

Filesize
9.9MB

Download
memory/2892-1-0x0000000000210000-0x00000000003F6000-memory.dmp

Filesize
1.9MB

Download