dcrat | 7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2

Analysis

max time kernel
58s
max time network
63s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2024 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
Size

1.7MB
MD5

89b97de873721b7f7c0e290f3009714a
SHA1

a497ecfd40010292888930dad8e90139555a53a1
SHA256

7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2
SHA512

48a4de3da13249137fac6c62df309a3be67c2123f689a0186fb48af00d2f60ab9faf1d2f7e865af9e3e3403f1d9abfee77386f92d7fb476a6717b10f2bc5d474
SSDEEP

49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvX:eTHUxUoh1IF9gl2o

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3900	2468	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	2468	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	2468	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2468	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	2468	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2468	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	2468	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3552	2468	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2468	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	2468	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	2468	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4212	2468	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2468	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2468	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4224	2468	schtasks.exe	85

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1152-1-0x00000000009E0000-0x0000000000BA0000-memory.dmp	dcrat
behavioral2/files/0x0007000000023c8e-30.dat	dcrat
behavioral2/files/0x000c000000023c94-81.dat	dcrat
behavioral2/files/0x0009000000023c8b-92.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1804	powershell.exe
464	powershell.exe
4016	powershell.exe
528	powershell.exe
3776	powershell.exe
1800	powershell.exe
3508	powershell.exe
4880	powershell.exe
3188	powershell.exe
4500	powershell.exe
5040	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	System.exe

Executes dropped EXE 4 IoCs

pid	Process
4436	System.exe
4240	System.exe
4448	System.exe
1272	System.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\GameBarPresenceWriter\fontdrvhost.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File created	C:\Windows\GameBarPresenceWriter\fontdrvhost.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File created	C:\Windows\GameBarPresenceWriter\5b884080fd4f94	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Windows\GameBarPresenceWriter\RCXC9E0.tmp	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Windows\GameBarPresenceWriter\RCXCA5E.tmp	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	System.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1788	schtasks.exe
1444	schtasks.exe
3552	schtasks.exe
3900	schtasks.exe
2660	schtasks.exe
4224	schtasks.exe
1860	schtasks.exe
4836	schtasks.exe
4404	schtasks.exe
2948	schtasks.exe
3772	schtasks.exe
696	schtasks.exe
4788	schtasks.exe
4212	schtasks.exe
4860	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
464	powershell.exe
464	powershell.exe
1800	powershell.exe
1800	powershell.exe
5040	powershell.exe
5040	powershell.exe
528	powershell.exe
528	powershell.exe
1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
4500	powershell.exe
4500	powershell.exe
1804	powershell.exe
1804	powershell.exe
4016	powershell.exe
4016	powershell.exe
4880	powershell.exe
4880	powershell.exe
464	powershell.exe
3188	powershell.exe
3188	powershell.exe
1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
3508	powershell.exe
3508	powershell.exe
1800	powershell.exe
3776	powershell.exe
3776	powershell.exe
4500	powershell.exe
528	powershell.exe
1804	powershell.exe
5040	powershell.exe
4880	powershell.exe
4016	powershell.exe
3188	powershell.exe
1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
3508	powershell.exe
3776	powershell.exe
4436	System.exe
4436	System.exe
4436	System.exe
4436	System.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
Token: SeDebugPrivilege	528	powershell.exe
Token: SeDebugPrivilege	464	powershell.exe
Token: SeDebugPrivilege	5040	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	4500	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeDebugPrivilege	4016	powershell.exe
Token: SeDebugPrivilege	3188	powershell.exe
Token: SeDebugPrivilege	3508	powershell.exe
Token: SeDebugPrivilege	3776	powershell.exe
Token: SeDebugPrivilege	4436	System.exe
Token: SeDebugPrivilege	4240	System.exe
Token: SeDebugPrivilege	4448	System.exe
Token: SeDebugPrivilege	1272	System.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 3776	1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	101
PID 1152 wrote to memory of 3776	1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	101
PID 1152 wrote to memory of 5040	1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	102
PID 1152 wrote to memory of 5040	1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	102
PID 1152 wrote to memory of 1804	1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	103
PID 1152 wrote to memory of 1804	1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	103
PID 1152 wrote to memory of 1800	1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	104
PID 1152 wrote to memory of 1800	1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	104
PID 1152 wrote to memory of 3508	1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	105
PID 1152 wrote to memory of 3508	1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	105
PID 1152 wrote to memory of 4880	1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	106
PID 1152 wrote to memory of 4880	1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	106
PID 1152 wrote to memory of 464	1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	107
PID 1152 wrote to memory of 464	1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	107
PID 1152 wrote to memory of 3188	1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	108
PID 1152 wrote to memory of 3188	1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	108
PID 1152 wrote to memory of 4016	1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	109
PID 1152 wrote to memory of 4016	1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	109
PID 1152 wrote to memory of 528	1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	110
PID 1152 wrote to memory of 528	1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	110
PID 1152 wrote to memory of 4500	1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	111
PID 1152 wrote to memory of 4500	1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	111
PID 1152 wrote to memory of 4436	1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	123
PID 1152 wrote to memory of 4436	1152	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	123
PID 4436 wrote to memory of 4900	4436	System.exe	125
PID 4436 wrote to memory of 4900	4436	System.exe	125
PID 4436 wrote to memory of 2264	4436	System.exe	126
PID 4436 wrote to memory of 2264	4436	System.exe	126
PID 4900 wrote to memory of 4240	4900	WScript.exe	132
PID 4900 wrote to memory of 4240	4900	WScript.exe	132
PID 4240 wrote to memory of 4836	4240	System.exe	136
PID 4240 wrote to memory of 4836	4240	System.exe	136
PID 4240 wrote to memory of 856	4240	System.exe	137
PID 4240 wrote to memory of 856	4240	System.exe	137
PID 4836 wrote to memory of 4448	4836	WScript.exe	145
PID 4836 wrote to memory of 4448	4836	WScript.exe	145
PID 4448 wrote to memory of 5052	4448	System.exe	147
PID 4448 wrote to memory of 5052	4448	System.exe	147
PID 4448 wrote to memory of 4076	4448	System.exe	148
PID 4448 wrote to memory of 4076	4448	System.exe	148
PID 5052 wrote to memory of 1272	5052	WScript.exe	149
PID 5052 wrote to memory of 1272	5052	WScript.exe	149
PID 1272 wrote to memory of 4960	1272	System.exe	151
PID 1272 wrote to memory of 4960	1272	System.exe	151
PID 1272 wrote to memory of 1620	1272	System.exe	152
PID 1272 wrote to memory of 1620	1272	System.exe	152

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
"C:\Users\Admin\AppData\Local\Temp\7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4500
- C:\Users\Public\Libraries\System.exe
  "C:\Users\Public\Libraries\System.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9bd3e4f3-7aa0-4cb5-b9d8-de2eeee73324.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4900
  - - C:\Users\Public\Libraries\System.exe
      C:\Users\Public\Libraries\System.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4240
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eafd8b48-9c3d-4415-b81c-28f8e2135b44.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4836
      - C:\Users\Public\Libraries\System.exe
        
        C:\Users\Public\Libraries\System.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69cc6f62-4d9a-4c22-92d9-08830a1bc2ce.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Users\Public\Libraries\System.exe
        
        C:\Users\Public\Libraries\System.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\613dc61a-697a-40f2-8d76-7d53ac78ab44.vbs"
        9⤵
        
        PID:4960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e1121f4-8393-4825-a896-b4a6eaa5d5b1.vbs"
        9⤵
        
        PID:1620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5457b00-56f6-4cf9-b025-5fbfb455c8a7.vbs"
        7⤵
        
        PID:4076
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fba4220-951c-4d55-a645-d993e615e61d.vbs"
        5⤵
        
        PID:856
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d887efdb-ce93-4b61-a38f-a0821187f5f4.vbs"
    3⤵
    PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Libraries\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Libraries\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Music\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default\Music\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Music\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Windows\GameBarPresenceWriter\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\GameBarPresenceWriter\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Searches\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Admin\Searches\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Searches\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ecceac16628651c18879d836acfcb062

SHA1
420502b3e5220a01586c59504e94aa1ee11982c9

SHA256
58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

SHA512
be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\613dc61a-697a-40f2-8d76-7d53ac78ab44.vbs

Filesize
712B

MD5
a06f099741c80589963d24af50548e6f

SHA1
b6cf9d5f3da507466edc4a76af4b4e6987a85704

SHA256
9d5c90ea7c52423803a875aef49a1bc3dc955dba9b1f2f32137bc2e447ed7f6a

SHA512
4384c1f5e505375afd0dffd089af21e3390f17d3a0533af204890342aa0871dcbe22193dc1225cfd0c93b61216ed48aa155f7a7c56d797728325f9b831eaf44a

Download Submit
C:\Users\Admin\AppData\Local\Temp\69cc6f62-4d9a-4c22-92d9-08830a1bc2ce.vbs

Filesize
712B

MD5
8429e22fb61b30694d08e5166abf81dd

SHA1
0330f232629ee53f020c22e2ec51d2fbcda1c905

SHA256
5116da079be5df157a77435dfca72d7d5cd0677cf00a1ccae7587eb0e5003724

SHA512
9c1d5340234c5991f53c37f9416faaf404cc1fea735847899eb3b0756695be5ce494baeaa70cc9f76ae02055c560471bbfadb962facfbdba188c1ed7b618eb57

Download Submit
C:\Users\Admin\AppData\Local\Temp\9bd3e4f3-7aa0-4cb5-b9d8-de2eeee73324.vbs

Filesize
712B

MD5
76c5e5fc152cdfdbc96566b0246c37bb

SHA1
f66cf73d9486c53d6672a08aea87727edd7d3166

SHA256
2fd785d76d47592ce94cb43971d27aa265446c75223900fdc61e3bbe8703b33d

SHA512
7e6c7e261b0ca64b26a7c3cca61a51a4120a58aeaced71f7a51f5e01748edaa061f240482f8dab6ffa06ba48508c706390701c47c9eea699978820db60a6280f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n1srvahm.pxw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887efdb-ce93-4b61-a38f-a0821187f5f4.vbs

Filesize
488B

MD5
faea55154ae34bb7d487920ea7a6a365

SHA1
bba67d1ead34a015ea66a6b98796fb5f3c1a4b50

SHA256
d057ad88be372059f17783faef9fabba62f018e21016688e2c62e7be44da07dd

SHA512
7811ed9a2af71f260962829af511a0523e0ff86cfa80b17e1dfd5fb7704ab710ae5a35a4f4b7a51e1bbc9d32d4dc917fc8d99a217b48f7c5f13de679f8999d4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\eafd8b48-9c3d-4415-b81c-28f8e2135b44.vbs

Filesize
712B

MD5
58a5539f330fdc5f2fc84dd92ccde3a3

SHA1
b5373d8f420a7e68167fe97a876f0b5c35d84525

SHA256
d9c63f0a497eeebe64994232f7e00d9c0ddae36c6dcaec4a6061f273b1611e13

SHA512
260065ffb8de516e3926ab41ec030ead389fb0145ebb65096a2e9ce9de57ff85676323bc93f976e18c1c6ad3acab198f5c043794358c24cc53f6201e030512ca

Download Submit
C:\Users\Admin\Searches\sihost.exe

Filesize
1.7MB

MD5
89b97de873721b7f7c0e290f3009714a

SHA1
a497ecfd40010292888930dad8e90139555a53a1

SHA256
7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2

SHA512
48a4de3da13249137fac6c62df309a3be67c2123f689a0186fb48af00d2f60ab9faf1d2f7e865af9e3e3403f1d9abfee77386f92d7fb476a6717b10f2bc5d474

Download Submit
C:\Users\Admin\Searches\sihost.exe

Filesize
1.7MB

MD5
47b0f719e044d109127e544d3e5c8213

SHA1
fb381de8665af5f43f6b36d49c988bfd1690e687

SHA256
6816e01bcdec411072f8fdc74bb9c6001f8e53bf48500188961af2c21ca67b7c

SHA512
1b78a59f20126ea9bbbb014ccbed239e3d596953928fca55b54c38f26d7f15ad8f03a6e416dd664214f91602b86f68a095491004891d58c6629ac4a817abdc6c

Download Submit
C:\Windows\GameBarPresenceWriter\fontdrvhost.exe

Filesize
1.7MB

MD5
33c597f795b562ad1f83d7ec0e80f54e

SHA1
c33cf4a18b1014e993cb6d01d6f844ffa7dee288

SHA256
169a020b2cbeea609c11ab0cbede677a839c96d12e24c38e920736d604719532

SHA512
54a404085553a07117ef268df24d193540158f6f2b5e4e0c74cc31c82ec730d374b2092fc7a1f6c4c6d3bcea5bca0854184bce9ca644c8b2edbbb5f5ac7e15b1

Download Submit
memory/464-149-0x000001DB7A100000-0x000001DB7A122000-memory.dmp

Filesize
136KB

Download
memory/1152-9-0x000000001BE20000-0x000000001BE2C000-memory.dmp

Filesize
48KB

Download
memory/1152-12-0x000000001BE40000-0x000000001BE52000-memory.dmp

Filesize
72KB

Download
memory/1152-22-0x00007FFAF29E0000-0x00007FFAF34A1000-memory.dmp

Filesize
10.8MB

Download
memory/1152-23-0x00007FFAF29E0000-0x00007FFAF34A1000-memory.dmp

Filesize
10.8MB

Download
memory/1152-17-0x000000001BFF0000-0x000000001BFF8000-memory.dmp

Filesize
32KB

Download
memory/1152-19-0x000000001C110000-0x000000001C11C000-memory.dmp

Filesize
48KB

Download
memory/1152-18-0x000000001C100000-0x000000001C10C000-memory.dmp

Filesize
48KB

Download
memory/1152-16-0x000000001BFE0000-0x000000001BFEE000-memory.dmp

Filesize
56KB

Download
memory/1152-14-0x000000001BE50000-0x000000001BE5C000-memory.dmp

Filesize
48KB

Download
memory/1152-255-0x00007FFAF29E0000-0x00007FFAF34A1000-memory.dmp

Filesize
10.8MB

Download
memory/1152-13-0x000000001C400000-0x000000001C928000-memory.dmp

Filesize
5.2MB

Download
memory/1152-15-0x000000001BFD0000-0x000000001BFDA000-memory.dmp

Filesize
40KB

Download
memory/1152-10-0x000000001BE30000-0x000000001BE38000-memory.dmp

Filesize
32KB

Download
memory/1152-0-0x00007FFAF29E3000-0x00007FFAF29E5000-memory.dmp

Filesize
8KB

Download
memory/1152-7-0x0000000002D10000-0x0000000002D26000-memory.dmp

Filesize
88KB

Download
memory/1152-8-0x000000001BE10000-0x000000001BE20000-memory.dmp

Filesize
64KB

Download
memory/1152-6-0x0000000002C30000-0x0000000002C40000-memory.dmp

Filesize
64KB

Download
memory/1152-5-0x0000000002C10000-0x0000000002C18000-memory.dmp

Filesize
32KB

Download
memory/1152-4-0x000000001BE60000-0x000000001BEB0000-memory.dmp

Filesize
320KB

Download
memory/1152-3-0x0000000002C50000-0x0000000002C6C000-memory.dmp

Filesize
112KB

Download
memory/1152-2-0x00007FFAF29E0000-0x00007FFAF34A1000-memory.dmp

Filesize
10.8MB

Download
memory/1152-1-0x00000000009E0000-0x0000000000BA0000-memory.dmp

Filesize
1.8MB

Download