dcrat | 52796cc15b3bc3df709a40ef1c164c9314096fb1eaf9167002c98a4a2fbf0869

Analysis

max time kernel
52s
max time network
120s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 15:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52796cc15b3bc3df709a40ef1c164c9314096fb1eaf9167002c98a4a2fbf0869N.exe
Size

1.8MB
MD5

4c8c00791894ebf2accb5b77a4509610
SHA1

186cf1ab5c40ced62a351ad2248704c69b292586
SHA256

52796cc15b3bc3df709a40ef1c164c9314096fb1eaf9167002c98a4a2fbf0869
SHA512

c4f559445d607e0457f4b4ea11f09d4eb6d13999e393d5f77ab19758d0d7f9608133118cb3a7a72b07ef0323aa1170cd346d8d0077b70883d61ced70edddf1d4
SSDEEP

49152:IBJAv1XMSYVEb9rGJ/ChuhAeaCGcZPjCjDUVQslg+:y2tp3bpGghYhJGcF+jDUuslg+

Score

10^/10

dcrat discovery evasion execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\OSPPSVC.exe\", \"C:\\Windows\\Logs\\HomeGroup\\OSPPSVC.exe\""	comwebFontMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\OSPPSVC.exe\", \"C:\\Windows\\Logs\\HomeGroup\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\taskhost.exe\""	comwebFontMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\OSPPSVC.exe\", \"C:\\Windows\\Logs\\HomeGroup\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\taskhost.exe\", \"C:\\Hypermonitor\\sppsvc.exe\""	comwebFontMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\OSPPSVC.exe\", \"C:\\Windows\\Logs\\HomeGroup\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\taskhost.exe\", \"C:\\Hypermonitor\\sppsvc.exe\", \"C:\\Windows\\IME\\fr-FR\\OSPPSVC.exe\""	comwebFontMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\OSPPSVC.exe\", \"C:\\Windows\\Logs\\HomeGroup\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\taskhost.exe\", \"C:\\Hypermonitor\\sppsvc.exe\", \"C:\\Windows\\IME\\fr-FR\\OSPPSVC.exe\", \"C:\\Hypermonitor\\comwebFontMonitor.exe\""	comwebFontMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\OSPPSVC.exe\""	comwebFontMonitor.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	1108	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	1108	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	1108	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	1108	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	1108	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	1108	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	1108	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	1108	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	1108	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	1108	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	1108	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	1108	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	1108	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	1108	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	1108	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	1108	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	1108	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	1108	schtasks.exe	35

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2564	powershell.exe
1060	powershell.exe
2228	powershell.exe
2072	powershell.exe
2504	powershell.exe
840	powershell.exe
2508	powershell.exe
1788	powershell.exe
1872	powershell.exe
984	powershell.exe
2364	powershell.exe
1700	powershell.exe
2304	powershell.exe
1664	powershell.exe
1040	powershell.exe
2232	powershell.exe
944	powershell.exe
772	powershell.exe
1824	powershell.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 2 IoCs

pid	Process
2716	comwebFontMonitor.exe
1856	sppsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2692	cmd.exe
2692	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\MSOCache\\All Users\\OSPPSVC.exe\""	comwebFontMonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Windows\\Logs\\HomeGroup\\OSPPSVC.exe\""	comwebFontMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\taskhost.exe\""	comwebFontMonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Windows\\IME\\fr-FR\\OSPPSVC.exe\""	comwebFontMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Windows\\IME\\fr-FR\\OSPPSVC.exe\""	comwebFontMonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\comwebFontMonitor = "\"C:\\Hypermonitor\\comwebFontMonitor.exe\""	comwebFontMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\comwebFontMonitor = "\"C:\\Hypermonitor\\comwebFontMonitor.exe\""	comwebFontMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\MSOCache\\All Users\\OSPPSVC.exe\""	comwebFontMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Windows\\Logs\\HomeGroup\\OSPPSVC.exe\""	comwebFontMonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\taskhost.exe\""	comwebFontMonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Hypermonitor\\sppsvc.exe\""	comwebFontMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Hypermonitor\\sppsvc.exe\""	comwebFontMonitor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC84FA86C922E64348AF8D4CC1FEFE8E2.TMP	csc.exe
File created	\??\c:\Windows\System32\_f1q_j.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\taskhost.exe	comwebFontMonitor.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\b75386f1303e64	comwebFontMonitor.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\IME\fr-FR\OSPPSVC.exe	comwebFontMonitor.exe
File opened for modification	C:\Windows\IME\fr-FR\OSPPSVC.exe	comwebFontMonitor.exe
File created	C:\Windows\IME\fr-FR\1610b97d3ab4a7	comwebFontMonitor.exe
File created	C:\Windows\Logs\HomeGroup\OSPPSVC.exe	comwebFontMonitor.exe
File created	C:\Windows\Logs\HomeGroup\1610b97d3ab4a7	comwebFontMonitor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	52796cc15b3bc3df709a40ef1c164c9314096fb1eaf9167002c98a4a2fbf0869N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2840	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
780	schtasks.exe
2520	schtasks.exe
2492	schtasks.exe
2532	schtasks.exe
2864	schtasks.exe
1692	schtasks.exe
568	schtasks.exe
400	schtasks.exe
1836	schtasks.exe
3032	schtasks.exe
1812	schtasks.exe
1428	schtasks.exe
1820	schtasks.exe
756	schtasks.exe
1532	schtasks.exe
2536	schtasks.exe
2708	schtasks.exe
2120	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1856	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe
2716	comwebFontMonitor.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2716	comwebFontMonitor.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeDebugPrivilege	984	powershell.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	1856	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2800	2244	52796cc15b3bc3df709a40ef1c164c9314096fb1eaf9167002c98a4a2fbf0869N.exe	30
PID 2244 wrote to memory of 2800	2244	52796cc15b3bc3df709a40ef1c164c9314096fb1eaf9167002c98a4a2fbf0869N.exe	30
PID 2244 wrote to memory of 2800	2244	52796cc15b3bc3df709a40ef1c164c9314096fb1eaf9167002c98a4a2fbf0869N.exe	30
PID 2244 wrote to memory of 2800	2244	52796cc15b3bc3df709a40ef1c164c9314096fb1eaf9167002c98a4a2fbf0869N.exe	30
PID 2800 wrote to memory of 2692	2800	WScript.exe	31
PID 2800 wrote to memory of 2692	2800	WScript.exe	31
PID 2800 wrote to memory of 2692	2800	WScript.exe	31
PID 2800 wrote to memory of 2692	2800	WScript.exe	31
PID 2692 wrote to memory of 2840	2692	cmd.exe	33
PID 2692 wrote to memory of 2840	2692	cmd.exe	33
PID 2692 wrote to memory of 2840	2692	cmd.exe	33
PID 2692 wrote to memory of 2840	2692	cmd.exe	33
PID 2692 wrote to memory of 2716	2692	cmd.exe	34
PID 2692 wrote to memory of 2716	2692	cmd.exe	34
PID 2692 wrote to memory of 2716	2692	cmd.exe	34
PID 2692 wrote to memory of 2716	2692	cmd.exe	34
PID 2716 wrote to memory of 2764	2716	comwebFontMonitor.exe	39
PID 2716 wrote to memory of 2764	2716	comwebFontMonitor.exe	39
PID 2716 wrote to memory of 2764	2716	comwebFontMonitor.exe	39
PID 2764 wrote to memory of 2140	2764	csc.exe	41
PID 2764 wrote to memory of 2140	2764	csc.exe	41
PID 2764 wrote to memory of 2140	2764	csc.exe	41
PID 2716 wrote to memory of 2232	2716	comwebFontMonitor.exe	57
PID 2716 wrote to memory of 2232	2716	comwebFontMonitor.exe	57
PID 2716 wrote to memory of 2232	2716	comwebFontMonitor.exe	57
PID 2716 wrote to memory of 1872	2716	comwebFontMonitor.exe	58
PID 2716 wrote to memory of 1872	2716	comwebFontMonitor.exe	58
PID 2716 wrote to memory of 1872	2716	comwebFontMonitor.exe	58
PID 2716 wrote to memory of 1060	2716	comwebFontMonitor.exe	59
PID 2716 wrote to memory of 1060	2716	comwebFontMonitor.exe	59
PID 2716 wrote to memory of 1060	2716	comwebFontMonitor.exe	59
PID 2716 wrote to memory of 2508	2716	comwebFontMonitor.exe	60
PID 2716 wrote to memory of 2508	2716	comwebFontMonitor.exe	60
PID 2716 wrote to memory of 2508	2716	comwebFontMonitor.exe	60
PID 2716 wrote to memory of 1788	2716	comwebFontMonitor.exe	62
PID 2716 wrote to memory of 1788	2716	comwebFontMonitor.exe	62
PID 2716 wrote to memory of 1788	2716	comwebFontMonitor.exe	62
PID 2716 wrote to memory of 840	2716	comwebFontMonitor.exe	63
PID 2716 wrote to memory of 840	2716	comwebFontMonitor.exe	63
PID 2716 wrote to memory of 840	2716	comwebFontMonitor.exe	63
PID 2716 wrote to memory of 1700	2716	comwebFontMonitor.exe	65
PID 2716 wrote to memory of 1700	2716	comwebFontMonitor.exe	65
PID 2716 wrote to memory of 1700	2716	comwebFontMonitor.exe	65
PID 2716 wrote to memory of 1040	2716	comwebFontMonitor.exe	66
PID 2716 wrote to memory of 1040	2716	comwebFontMonitor.exe	66
PID 2716 wrote to memory of 1040	2716	comwebFontMonitor.exe	66
PID 2716 wrote to memory of 1664	2716	comwebFontMonitor.exe	67
PID 2716 wrote to memory of 1664	2716	comwebFontMonitor.exe	67
PID 2716 wrote to memory of 1664	2716	comwebFontMonitor.exe	67
PID 2716 wrote to memory of 2304	2716	comwebFontMonitor.exe	68
PID 2716 wrote to memory of 2304	2716	comwebFontMonitor.exe	68
PID 2716 wrote to memory of 2304	2716	comwebFontMonitor.exe	68
PID 2716 wrote to memory of 2504	2716	comwebFontMonitor.exe	69
PID 2716 wrote to memory of 2504	2716	comwebFontMonitor.exe	69
PID 2716 wrote to memory of 2504	2716	comwebFontMonitor.exe	69
PID 2716 wrote to memory of 2364	2716	comwebFontMonitor.exe	70
PID 2716 wrote to memory of 2364	2716	comwebFontMonitor.exe	70
PID 2716 wrote to memory of 2364	2716	comwebFontMonitor.exe	70
PID 2716 wrote to memory of 984	2716	comwebFontMonitor.exe	73
PID 2716 wrote to memory of 984	2716	comwebFontMonitor.exe	73
PID 2716 wrote to memory of 984	2716	comwebFontMonitor.exe	73
PID 2716 wrote to memory of 1824	2716	comwebFontMonitor.exe	75
PID 2716 wrote to memory of 1824	2716	comwebFontMonitor.exe	75
PID 2716 wrote to memory of 1824	2716	comwebFontMonitor.exe	75

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\52796cc15b3bc3df709a40ef1c164c9314096fb1eaf9167002c98a4a2fbf0869N.exe
"C:\Users\Admin\AppData\Local\Temp\52796cc15b3bc3df709a40ef1c164c9314096fb1eaf9167002c98a4a2fbf0869N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Hypermonitor\LKrf7gnHKEtTrri8lYQDrdW1woi2hn8C2Yi.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Hypermonitor\3Uu9O955Odn1NnhyAkHLIW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2840
  - - C:\Hypermonitor\comwebFontMonitor.exe
      "C:\Hypermonitor/comwebFontMonitor.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xlb3kpv0\xlb3kpv0.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2764
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7FE9.tmp" "c:\Windows\System32\CSC84FA86C922E64348AF8D4CC1FEFE8E2.TMP"
        6⤵
        
        PID:2140
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Hypermonitor/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\HomeGroup\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Hypermonitor\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\fr-FR\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Hypermonitor\comwebFontMonitor.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ckZ34mAp29.bat"
        5⤵
        
        PID:2824
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2908
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2536
      - C:\Hypermonitor\sppsvc.exe
        
        "C:\Hypermonitor\sppsvc.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Windows\Logs\HomeGroup\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Logs\HomeGroup\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Windows\Logs\HomeGroup\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Hypermonitor\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Hypermonitor\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Hypermonitor\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Windows\IME\fr-FR\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\IME\fr-FR\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Windows\IME\fr-FR\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "comwebFontMonitorc" /sc MINUTE /mo 12 /tr "'C:\Hypermonitor\comwebFontMonitor.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "comwebFontMonitor" /sc ONLOGON /tr "'C:\Hypermonitor\comwebFontMonitor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "comwebFontMonitorc" /sc MINUTE /mo 14 /tr "'C:\Hypermonitor\comwebFontMonitor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Hypermonitor\3Uu9O955Odn1NnhyAkHLIW.bat

Filesize
202B

MD5
b541eadf5e16bd42ae841669a3491e0f

SHA1
4e6164d36294cd26d17007b1b366ef1ed8c39aff

SHA256
ccb42b4abc6239620fca02564faa3aa91a7940fff62c16eebb860261b22b296d

SHA512
51e6b0c016066e68e6045ec7999b2e2a53cb70819cdaa3f04709f84de4ca3abbddc32bebdbb26b797438219696c0285d44aa24a9b2ff6031d267cf9554ba6778

Download Submit
C:\Hypermonitor\LKrf7gnHKEtTrri8lYQDrdW1woi2hn8C2Yi.vbe

Filesize
212B

MD5
b7cb58c8a5169af209effceb641b9361

SHA1
09ae4f83a6c0463f02c99f19ee768ea74c958351

SHA256
742c352df92b460fcb6cb988bf416e61f58e1f2c647fca05b795350ea3883de7

SHA512
51298c61a8a0cd0fb7bc5542f869775125e170ae83f32624af97cc1b35ca3679777e3bc3849affee9214694d582cd395308926f705e90cab50071946d18ef599

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7FE9.tmp

Filesize
1KB

MD5
dbc74dd443a6fd2f00da9d7f3c7700d3

SHA1
4014719f05bbab95dba2199cfba84fb22dd787eb

SHA256
083426581ceae41dd3fd9c7c7d87a4163f7fd0bdca7d65837aac61d44bdde787

SHA512
764e2fd89bef48962ba2ece3eba8b3edc361dde00ad5888b90761544661a91784213781cddc1c765d84f95f28e3bc759bee9527fa2901e33ee971a4e154d3f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckZ34mAp29.bat

Filesize
202B

MD5
893f30751c1f4a59b9bb6eadd209cf33

SHA1
606b1ec8c34975b9242409968a362ec0335d66ab

SHA256
0b059baa4c0a42b6fff81b520a4c943f28a81bb34d419384c3335cebfd2ee64d

SHA512
ccf5d8a81356533501bb41230bbac8bdf92a83c7c82ba317a538fc6b7988d5a85c09a63c656db704bb554c5af72b14bc400da3a5516c1a4599fc85b774e41388

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f8d05511da5d7454e778222a107d2434

SHA1
5a6715ce831817aa63acd2b1f08619c8246abc13

SHA256
6ca7855ce4e4b8dcadbd9a6a6832d6a09f4d94f3f01762eb52b790fadda7eab4

SHA512
277e1f533d46e736c728fe1698ac567483616c8d3f8053ed6eafa5327d0e34c1de9faeab9bf0b53386b2cf475a179b91180c90b8506747640d462c69f5ad0157

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xlb3kpv0\xlb3kpv0.0.cs

Filesize
365B

MD5
36782d620c1f0c3913fad2036be402a6

SHA1
095257d2f8a83cb3bf0ab58f05732e50d587bafd

SHA256
2901af1f26f3e9d0652928a363e0debf7f58913a3a5f5a0914abd26606df7d18

SHA512
538950c3fb8dc54adedfa80a4681e426022ad9c35e607f6591203eacc71cccc6295848fb6685c92fb7ae7f82339fb45dfd1c0074df06e32f91ac05d0033e5f77

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xlb3kpv0\xlb3kpv0.cmdline

Filesize
235B

MD5
6be40f2d9ca6f328aca0592bfa44ae10

SHA1
6f7003ee19b22fabe6974c6ab30f0f5dd433f43f

SHA256
93a0017d6cdd7cf4f04b130ff812050aaecb70442616b47d077f1c4421c6f2d5

SHA512
85d2e958426ec4ff9eb81971f8019d88bde3febb1760e70968a019f6757598ca24c65bf947b73e81948308f5bb4930235d1a582e4e7bc2fa0957ce155168a885

Download Submit
\??\c:\Windows\System32\CSC84FA86C922E64348AF8D4CC1FEFE8E2.TMP

Filesize
1KB

MD5
fccbcfaf29fdccaabada579f7aaf3ae7

SHA1
f9b179b6aab6b96908d89b35aab3f503478a956d

SHA256
e70bc8ad14a70d490fe92ed86e79c40fc133a64428a2781e14514b16d83a9b02

SHA512
ac047b4ba060e72e224c1afdebbdafecbfd705a67cb8f0cd5c82bf7980c2baa23bdb5bf5d821836bc0c426069a61d8e112b45239887d2d81b8a6d4fa839c1e10

Download Submit
\Hypermonitor\comwebFontMonitor.exe

Filesize
1.9MB

MD5
08e62edea94914fe3fc904a6a88975d4

SHA1
1cc51eecfd1638c461e1e474ea30f1205ecb38f4

SHA256
2092c84f1de987fda364aa58991798685b5af8353a90bf1a34d7f69685dd47ad

SHA512
4d0a90ede6b482078ed9f0c0588bb4ef3cbcc8446ea333f07a4948e57b17dd2b225805e539a20f267a888b5536f0a08c24e2edeb0a7c3de08b8442984cacb390

Download Submit
memory/1060-70-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/1824-87-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/1856-155-0x0000000000C50000-0x0000000000E48000-memory.dmp

Filesize
2.0MB

Download
memory/2716-17-0x00000000005D0000-0x00000000005EC000-memory.dmp

Filesize
112KB

Download
memory/2716-27-0x0000000000BD0000-0x0000000000BDC000-memory.dmp

Filesize
48KB

Download
memory/2716-25-0x0000000000610000-0x000000000061E000-memory.dmp

Filesize
56KB

Download
memory/2716-23-0x00000000005C0000-0x00000000005CC000-memory.dmp

Filesize
48KB

Download
memory/2716-21-0x00000000005B0000-0x00000000005BE000-memory.dmp

Filesize
56KB

Download
memory/2716-19-0x00000000005F0000-0x0000000000608000-memory.dmp

Filesize
96KB

Download
memory/2716-15-0x0000000000490000-0x000000000049E000-memory.dmp

Filesize
56KB

Download
memory/2716-13-0x0000000000C40000-0x0000000000E38000-memory.dmp

Filesize
2.0MB

Download