dcrat | e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
17-12-2024 21:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
Size

1.7MB
MD5

d337a1cc8b6b0d9f1c16ec727b3197e2
SHA1

01dbeb18baa4efb70b3a30930e08d89e2e25c05a
SHA256

e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345
SHA512

d20493b21aceb61d5e8c49afa8cd0cdd14234b9b3d94d4f8af92f0b64cb4542fc154cd29339b1f56abae14c97b752f8f6b81d6e86e301c3576117fa510879285
SSDEEP

49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvV:eTHUxUoh1IF9gl2e

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 8 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2992	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2992	schtasks.exe	31

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2224-1-0x0000000000CD0000-0x0000000000E90000-memory.dmp	dcrat
behavioral1/files/0x000800000001930d-29.dat	dcrat
behavioral1/memory/1324-103-0x0000000000860000-0x0000000000A20000-memory.dmp	dcrat
behavioral1/memory/2908-145-0x0000000000950000-0x0000000000B10000-memory.dmp	dcrat
behavioral1/memory/1804-157-0x0000000000D60000-0x0000000000F20000-memory.dmp	dcrat
behavioral1/memory/2140-180-0x00000000003C0000-0x0000000000580000-memory.dmp	dcrat
behavioral1/memory/2176-192-0x00000000000A0000-0x0000000000260000-memory.dmp	dcrat
behavioral1/memory/2780-204-0x0000000000890000-0x0000000000A50000-memory.dmp	dcrat
behavioral1/memory/2416-216-0x0000000000C80000-0x0000000000E40000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2252	powershell.exe
2604	powershell.exe
3024	powershell.exe
568	powershell.exe
3052	powershell.exe
1920	powershell.exe
3028	powershell.exe
3048	powershell.exe
988	powershell.exe
2032	powershell.exe
2700	powershell.exe
676	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe

Executes dropped EXE 9 IoCs

pid	Process
1324	WmiPrvSE.exe
2908	WmiPrvSE.exe
1804	WmiPrvSE.exe
2936	WmiPrvSE.exe
2140	WmiPrvSE.exe
2176	WmiPrvSE.exe
2780	WmiPrvSE.exe
2416	WmiPrvSE.exe
2704	WmiPrvSE.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\es-ES\WmiPrvSE.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files\Windows Mail\es-ES\WmiPrvSE.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File created	C:\Program Files\Windows Mail\es-ES\24dbde2999530e	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files\Windows Mail\es-ES\RCXF1FF.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files\Windows Mail\es-ES\RCXF200.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2940	schtasks.exe
2884	schtasks.exe
2484	schtasks.exe
2248	schtasks.exe
2772	schtasks.exe
2696	schtasks.exe
2464	schtasks.exe
2472	schtasks.exe
2636	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2700	powershell.exe
3052	powershell.exe
2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2252	powershell.exe
2032	powershell.exe
2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
988	powershell.exe
3048	powershell.exe
676	powershell.exe
3024	powershell.exe
2604	powershell.exe
1920	powershell.exe
568	powershell.exe
3028	powershell.exe
1324	WmiPrvSE.exe
1324	WmiPrvSE.exe
1324	WmiPrvSE.exe
1324	WmiPrvSE.exe
1324	WmiPrvSE.exe
1324	WmiPrvSE.exe
1324	WmiPrvSE.exe
1324	WmiPrvSE.exe
1324	WmiPrvSE.exe
1324	WmiPrvSE.exe
1324	WmiPrvSE.exe
1324	WmiPrvSE.exe
1324	WmiPrvSE.exe
1324	WmiPrvSE.exe
1324	WmiPrvSE.exe
1324	WmiPrvSE.exe
1324	WmiPrvSE.exe
1324	WmiPrvSE.exe
1324	WmiPrvSE.exe
1324	WmiPrvSE.exe
1324	WmiPrvSE.exe
1324	WmiPrvSE.exe
1324	WmiPrvSE.exe
1324	WmiPrvSE.exe
1324	WmiPrvSE.exe
1324	WmiPrvSE.exe
1324	WmiPrvSE.exe
1324	WmiPrvSE.exe
1324	WmiPrvSE.exe
1324	WmiPrvSE.exe
1324	WmiPrvSE.exe
1324	WmiPrvSE.exe
1324	WmiPrvSE.exe
1324	WmiPrvSE.exe
1324	WmiPrvSE.exe
2908	WmiPrvSE.exe
2908	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	988	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	676	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	1324	WmiPrvSE.exe
Token: SeDebugPrivilege	2908	WmiPrvSE.exe
Token: SeDebugPrivilege	1804	WmiPrvSE.exe
Token: SeDebugPrivilege	2936	WmiPrvSE.exe
Token: SeDebugPrivilege	2140	WmiPrvSE.exe
Token: SeDebugPrivilege	2176	WmiPrvSE.exe
Token: SeDebugPrivilege	2780	WmiPrvSE.exe
Token: SeDebugPrivilege	2416	WmiPrvSE.exe
Token: SeDebugPrivilege	2704	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 988	2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	41
PID 2224 wrote to memory of 988	2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	41
PID 2224 wrote to memory of 988	2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	41
PID 2224 wrote to memory of 2032	2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	42
PID 2224 wrote to memory of 2032	2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	42
PID 2224 wrote to memory of 2032	2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	42
PID 2224 wrote to memory of 2700	2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	43
PID 2224 wrote to memory of 2700	2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	43
PID 2224 wrote to memory of 2700	2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	43
PID 2224 wrote to memory of 676	2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	44
PID 2224 wrote to memory of 676	2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	44
PID 2224 wrote to memory of 676	2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	44
PID 2224 wrote to memory of 3024	2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	45
PID 2224 wrote to memory of 3024	2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	45
PID 2224 wrote to memory of 3024	2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	45
PID 2224 wrote to memory of 568	2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	46
PID 2224 wrote to memory of 568	2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	46
PID 2224 wrote to memory of 568	2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	46
PID 2224 wrote to memory of 3052	2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	47
PID 2224 wrote to memory of 3052	2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	47
PID 2224 wrote to memory of 3052	2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	47
PID 2224 wrote to memory of 1920	2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	48
PID 2224 wrote to memory of 1920	2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	48
PID 2224 wrote to memory of 1920	2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	48
PID 2224 wrote to memory of 3028	2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	49
PID 2224 wrote to memory of 3028	2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	49
PID 2224 wrote to memory of 3028	2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	49
PID 2224 wrote to memory of 3048	2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	50
PID 2224 wrote to memory of 3048	2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	50
PID 2224 wrote to memory of 3048	2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	50
PID 2224 wrote to memory of 2252	2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	51
PID 2224 wrote to memory of 2252	2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	51
PID 2224 wrote to memory of 2252	2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	51
PID 2224 wrote to memory of 2604	2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	52
PID 2224 wrote to memory of 2604	2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	52
PID 2224 wrote to memory of 2604	2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	52
PID 2224 wrote to memory of 1324	2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	65
PID 2224 wrote to memory of 1324	2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	65
PID 2224 wrote to memory of 1324	2224	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	65
PID 1324 wrote to memory of 1504	1324	WmiPrvSE.exe	66
PID 1324 wrote to memory of 1504	1324	WmiPrvSE.exe	66
PID 1324 wrote to memory of 1504	1324	WmiPrvSE.exe	66
PID 1324 wrote to memory of 2760	1324	WmiPrvSE.exe	67
PID 1324 wrote to memory of 2760	1324	WmiPrvSE.exe	67
PID 1324 wrote to memory of 2760	1324	WmiPrvSE.exe	67
PID 1504 wrote to memory of 2908	1504	WScript.exe	68
PID 1504 wrote to memory of 2908	1504	WScript.exe	68
PID 1504 wrote to memory of 2908	1504	WScript.exe	68
PID 2908 wrote to memory of 2340	2908	WmiPrvSE.exe	69
PID 2908 wrote to memory of 2340	2908	WmiPrvSE.exe	69
PID 2908 wrote to memory of 2340	2908	WmiPrvSE.exe	69
PID 2908 wrote to memory of 1972	2908	WmiPrvSE.exe	70
PID 2908 wrote to memory of 1972	2908	WmiPrvSE.exe	70
PID 2908 wrote to memory of 1972	2908	WmiPrvSE.exe	70
PID 2340 wrote to memory of 1804	2340	WScript.exe	71
PID 2340 wrote to memory of 1804	2340	WScript.exe	71
PID 2340 wrote to memory of 1804	2340	WScript.exe	71
PID 1804 wrote to memory of 900	1804	WmiPrvSE.exe	72
PID 1804 wrote to memory of 900	1804	WmiPrvSE.exe	72
PID 1804 wrote to memory of 900	1804	WmiPrvSE.exe	72
PID 1804 wrote to memory of 2920	1804	WmiPrvSE.exe	73
PID 1804 wrote to memory of 2920	1804	WmiPrvSE.exe	73
PID 1804 wrote to memory of 2920	1804	WmiPrvSE.exe	73
PID 900 wrote to memory of 2936	900	WScript.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
"C:\Users\Admin\AppData\Local\Temp\e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- C:\MSOCache\All Users\WmiPrvSE.exe
  "C:\MSOCache\All Users\WmiPrvSE.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6fe5234-1e27-4de6-a978-d982501507a6.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1504
  - - C:\MSOCache\All Users\WmiPrvSE.exe
      "C:\MSOCache\All Users\WmiPrvSE.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b12f253-71f2-45c9-985f-6be04e8c1f6f.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2340
      - C:\MSOCache\All Users\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\WmiPrvSE.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\869fc9d3-aaef-4256-8ff6-4711355dd736.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:900
        
        C:\MSOCache\All Users\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\WmiPrvSE.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2afec2b-6452-497f-83ed-07de60b93805.vbs"
        9⤵
        
        PID:1956
        
        C:\MSOCache\All Users\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\WmiPrvSE.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47d25496-3934-4242-8ff9-83ae3f3b020a.vbs"
        11⤵
        
        PID:2796
        
        C:\MSOCache\All Users\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\WmiPrvSE.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\408604c1-fb72-4115-b4cd-8b259ee45564.vbs"
        13⤵
        
        PID:2000
        
        C:\MSOCache\All Users\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\WmiPrvSE.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91bc1336-93e4-4a61-9698-a9954684f5ff.vbs"
        15⤵
        
        PID:1632
        
        C:\MSOCache\All Users\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\WmiPrvSE.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1dc591d-7773-42d9-9e1c-bd881b71bf55.vbs"
        17⤵
        
        PID:2236
        
        C:\MSOCache\All Users\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\WmiPrvSE.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4c3cf2b-81e8-40af-a055-d7d04b1401fc.vbs"
        19⤵
        
        PID:1980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76617f85-066f-4b4b-b123-d7ec06a83961.vbs"
        19⤵
        
        PID:1672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b84956a3-acbf-46ff-b90c-b191904b2993.vbs"
        17⤵
        
        PID:2924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2249f511-bc58-4996-8870-76d96b87e51b.vbs"
        15⤵
        
        PID:2744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4997073b-af56-493c-86b7-731edb951edc.vbs"
        13⤵
        
        PID:1616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f564c69-6d3c-4b5a-8178-149b899cdcc4.vbs"
        11⤵
        
        PID:2220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc6b0e57-d81d-4f24-a03b-fc9e4a2f98e6.vbs"
        9⤵
        
        PID:2652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da5c3df8-47ad-4827-8140-ac2346a0285d.vbs"
        7⤵
        
        PID:2920
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b2470bf-9c30-47da-8cb9-fbb82a2d0a22.vbs"
        5⤵
        
        PID:1972
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b6c7578-8d44-49db-ae27-43ce6de06e3a.vbs"
    3⤵
    PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\es-ES\WmiPrvSE.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3b12f253-71f2-45c9-985f-6be04e8c1f6f.vbs

Filesize
710B

MD5
90f2647e6a499c60e12410748adc7530

SHA1
ec981d1131adbbaeb5611f2723f84ea40a0d68bd

SHA256
39af53a9ff24efd9d53c67f7a260fed2813a5e4b3009c9922590b088b0a4b769

SHA512
b99161ced4a1c4c53cfd7c9334beddea1a93a610fe9a6757d28005b09289fb305f8fe4f03a17caa43de551f0092f8c3d1b1f87d31ee620769af38df9c08b223f

Download Submit
C:\Users\Admin\AppData\Local\Temp\408604c1-fb72-4115-b4cd-8b259ee45564.vbs

Filesize
710B

MD5
906e8dbc30634b3afaa4864784c4302c

SHA1
79204f3e4014411f7d3faf4d410d579b09254606

SHA256
d93a56ecdf90ad959250acfaf6b8973de3560d3a5829774b563f2b10fa065e13

SHA512
62fce9bf806cf29244585329226524fd4fd21ee288b5999ef9a02ee770509cd5fbd6c430c7508e63ac2de0639bc29c085ce83b01b921233200cb8cf179c889cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\47d25496-3934-4242-8ff9-83ae3f3b020a.vbs

Filesize
710B

MD5
b284701fb016850057b5169aca5449e5

SHA1
d82bd742cc5735b29a37b00ab0c793e6dbb94f21

SHA256
c408f405a57c9cedd5a951983d92bba09e790cb9926829379bf8840dd5fb8b28

SHA512
7b551c7102a24dd76cbba52d6ab4119fab50cbc676ce2a3b3420381fba44d813c7f4a6abd828504c8a2931c01cecbcea5fc75963c1033a1a6cbfec4c790e50b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b6c7578-8d44-49db-ae27-43ce6de06e3a.vbs

Filesize
486B

MD5
345683396351b61ad4c687e8d9cb2268

SHA1
45ae3b4a3b17b6d00e54134863daed055f34e624

SHA256
1b607b0a1daad4c79830a7ef10fcbb3ee93fa0eed8e71b06396b15bf10ec66d5

SHA512
dbf99807c2db28d94051abda5c155d9a022697531b8fba88f6063a964bbcc20951501ee21425016149b050cd19ac6a54530bbb604804107e0c47438627ceccf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\869fc9d3-aaef-4256-8ff6-4711355dd736.vbs

Filesize
710B

MD5
27ff5192de20f12fc5b786c975e8b68b

SHA1
3512e10e0cc53e24adf1b555d83efe09f8258251

SHA256
18bddec72dbc6cc99c4fa4adda2f25f3cc60d956e6ee4c9bdb3ff0937af12c3c

SHA512
fa1bddf74dc5afbf297bf4a1257ee96b2c3c93a82ff7c1a7502d00ac42fc6c6db82af4c1607073d9df1c3b5c9dd8ebf0fae30d4c0a6939452665869dec8466fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\91bc1336-93e4-4a61-9698-a9954684f5ff.vbs

Filesize
710B

MD5
6c3ae37b704c6383f97b378b37e8e388

SHA1
e814e2550069a931347e100efc240e7919fb266b

SHA256
a72883f402e25d2881eb8d0debf294fb2a8e149339958e0eb32d2f2863f21e5b

SHA512
426695bb92fca6bff273148b4890be652f80cd0406b2bdb8c4b67bf36e335e76e4bcb572abe00595e73b36c72621f471282305e84dfc645e76fa5ad15807a568

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCXEFFB.tmp

Filesize
1.7MB

MD5
9d6fd4119977f8cbcc627015ec074b70

SHA1
3a08d83ca46e9ecbf3fd883b63937ea794aef410

SHA256
7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397cea

SHA512
8d68579ad5299a5f9a57d535e749606dd21851c1fa670fa0820efc21d431d25ea6977c54a3cdea9f243663852a6043c988848cc73748b85473509d09fa2f7760

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2afec2b-6452-497f-83ed-07de60b93805.vbs

Filesize
710B

MD5
bf27890c3eed7949433554bf28d7ae59

SHA1
4492b2966fd58cf4b81c8c6fb36dec7ad732d63c

SHA256
df1e35607c3fdc47effa378d32c1da7517e501beb8d475f903cd0b883bd48ef0

SHA512
818bc175921f07dfbe6a262161cc5ad2a8f05923825698b1155b5a5c99d153522f9630157b033bc447b17b97b6193a9dd618d4f2c6bfdbc9a10d1d4bbec199ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\c1dc591d-7773-42d9-9e1c-bd881b71bf55.vbs

Filesize
710B

MD5
b12b5dc6d799f9a1fb3fc8c4abb705f1

SHA1
d9c6cf257c856c94b68f7e5579dcf0d221d9f454

SHA256
3b5e549567df5c3f1191cf5de0db6512b25d7e93eb900275b13deef5f719fb4e

SHA512
23e89314654a99db567c003604da96219c379ef0f0ffa61fa810a85c451d95c04b914b1be66aa91c8dc5a190dc6dd346a51ba54a60446f22cbd6cfaf7c150635

Download Submit
C:\Users\Admin\AppData\Local\Temp\d6fe5234-1e27-4de6-a978-d982501507a6.vbs

Filesize
710B

MD5
c23d13311159a59122c26b3c21be38bb

SHA1
a97d67e0722e0ef2b33050a19169f264ab0c9f1e

SHA256
91b503df4474a56f7ba5c440b47b4eef3d8534d4f59b73b73a4827ff21bf1a43

SHA512
75814fb0eb35365b0a8db22801638039af01728a6e5e1bd15ca936d490c550ec77d3e3f1eafe0d01f5e1a201dcf958e7005584565e196916b95edca097d5199d

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4c3cf2b-81e8-40af-a055-d7d04b1401fc.vbs

Filesize
710B

MD5
22eb38279971a9e00884db5a2e46145d

SHA1
df2b566e9c9f86b336ab19356968bb39b57681de

SHA256
7c75d6740d96e280547d39e4a83ff1823e78e27bc030650719390500711dd0d8

SHA512
33755145d0a5cb09c52e777e26ea632ea5627ddba2a549e1a05289f9de030c3341dedde1ee9c6c43888ed1458aaa3f98d4642aba5670fb1ece39cf91ca616012

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
03b36262c322817c1fe3245d19266cbe

SHA1
82824be25392ef2185f3e2e8177e4456cfa9584f

SHA256
8113d226a97cc0cc808da6194a3fcef5116c637e3b51cb0e9bde4ee89351e868

SHA512
34a097c118cf623bcfae9f3c2265bdf1dbb13ff1b8e46e17e73a441ccf5e17fa1a2d176ff693619980706a854cde97ef53f186ce00036201782668534e2e3a88

Download Submit
memory/1324-103-0x0000000000860000-0x0000000000A20000-memory.dmp

Filesize
1.8MB

Download
memory/1804-157-0x0000000000D60000-0x0000000000F20000-memory.dmp

Filesize
1.8MB

Download
memory/2140-180-0x00000000003C0000-0x0000000000580000-memory.dmp

Filesize
1.8MB

Download
memory/2176-192-0x00000000000A0000-0x0000000000260000-memory.dmp

Filesize
1.8MB

Download
memory/2224-11-0x0000000000B00000-0x0000000000B12000-memory.dmp

Filesize
72KB

Download
memory/2224-9-0x0000000000AF0000-0x0000000000AF8000-memory.dmp

Filesize
32KB

Download
memory/2224-12-0x0000000000B30000-0x0000000000B3C000-memory.dmp

Filesize
48KB

Download
memory/2224-14-0x0000000000CA0000-0x0000000000CAE000-memory.dmp

Filesize
56KB

Download
memory/2224-0-0x000007FEF5593000-0x000007FEF5594000-memory.dmp

Filesize
4KB

Download
memory/2224-1-0x0000000000CD0000-0x0000000000E90000-memory.dmp

Filesize
1.8MB

Download
memory/2224-17-0x0000000000B70000-0x0000000000B7C000-memory.dmp

Filesize
48KB

Download
memory/2224-134-0x000007FEF5590000-0x000007FEF5F7C000-memory.dmp

Filesize
9.9MB

Download
memory/2224-3-0x00000000005D0000-0x00000000005EC000-memory.dmp

Filesize
112KB

Download
memory/2224-19-0x000007FEF5590000-0x000007FEF5F7C000-memory.dmp

Filesize
9.9MB

Download
memory/2224-2-0x000007FEF5590000-0x000007FEF5F7C000-memory.dmp

Filesize
9.9MB

Download
memory/2224-8-0x0000000000AE0000-0x0000000000AEC000-memory.dmp

Filesize
48KB

Download
memory/2224-15-0x0000000000B40000-0x0000000000B48000-memory.dmp

Filesize
32KB

Download
memory/2224-7-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/2224-6-0x0000000000600000-0x0000000000616000-memory.dmp

Filesize
88KB

Download
memory/2224-16-0x0000000000B60000-0x0000000000B6C000-memory.dmp

Filesize
48KB

Download
memory/2224-5-0x00000000005F0000-0x0000000000600000-memory.dmp

Filesize
64KB

Download
memory/2224-13-0x0000000000B50000-0x0000000000B5A000-memory.dmp

Filesize
40KB

Download
memory/2224-4-0x00000000004B0000-0x00000000004B8000-memory.dmp

Filesize
32KB

Download
memory/2416-216-0x0000000000C80000-0x0000000000E40000-memory.dmp

Filesize
1.8MB

Download
memory/2700-82-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/2700-83-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2704-228-0x0000000000650000-0x0000000000662000-memory.dmp

Filesize
72KB

Download
memory/2780-204-0x0000000000890000-0x0000000000A50000-memory.dmp

Filesize
1.8MB

Download
memory/2908-145-0x0000000000950000-0x0000000000B10000-memory.dmp

Filesize
1.8MB

Download