dcrat | 7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397cea

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-12-2024 07:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe
Size

1.7MB
MD5

9d6fd4119977f8cbcc627015ec074b70
SHA1

3a08d83ca46e9ecbf3fd883b63937ea794aef410
SHA256

7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397cea
SHA512

8d68579ad5299a5f9a57d535e749606dd21851c1fa670fa0820efc21d431d25ea6977c54a3cdea9f243663852a6043c988848cc73748b85473509d09fa2f7760
SSDEEP

49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:eTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2592	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2592	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2592	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2592	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	2592	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	2592	schtasks.exe	31

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2692-1-0x0000000000A90000-0x0000000000C50000-memory.dmp	dcrat
behavioral1/files/0x0008000000012102-29.dat	dcrat
behavioral1/files/0x0015000000018657-48.dat	dcrat
behavioral1/memory/1012-82-0x0000000000AD0000-0x0000000000C90000-memory.dmp	dcrat
behavioral1/memory/1412-131-0x0000000001230000-0x00000000013F0000-memory.dmp	dcrat
behavioral1/memory/1644-165-0x0000000000310000-0x00000000004D0000-memory.dmp	dcrat
behavioral1/memory/1324-177-0x0000000000C00000-0x0000000000DC0000-memory.dmp	dcrat
behavioral1/memory/2788-189-0x0000000000E40000-0x0000000001000000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
672	powershell.exe
2924	powershell.exe
848	powershell.exe
2888	powershell.exe
604	powershell.exe
3000	powershell.exe
2280	powershell.exe
528	powershell.exe
2848	powershell.exe
2856	powershell.exe
2928	powershell.exe
2144	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe

Executes dropped EXE 7 IoCs

pid	Process
1012	smss.exe
1412	smss.exe
1416	smss.exe
2892	smss.exe
1644	smss.exe
1324	smss.exe
2788	smss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
560	schtasks.exe
1124	schtasks.exe
2540	schtasks.exe
2588	schtasks.exe
2620	schtasks.exe
2084	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe
2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe
2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe
2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe
2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe
2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe
2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe
2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe
2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe
2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe
2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe
3000	powershell.exe
604	powershell.exe
528	powershell.exe
848	powershell.exe
2924	powershell.exe
2280	powershell.exe
2928	powershell.exe
2856	powershell.exe
2888	powershell.exe
2144	powershell.exe
672	powershell.exe
2848	powershell.exe
1012	smss.exe
1012	smss.exe
1012	smss.exe
1012	smss.exe
1012	smss.exe
1012	smss.exe
1012	smss.exe
1012	smss.exe
1012	smss.exe
1012	smss.exe
1012	smss.exe
1012	smss.exe
1012	smss.exe
1012	smss.exe
1012	smss.exe
1012	smss.exe
1012	smss.exe
1012	smss.exe
1012	smss.exe
1012	smss.exe
1012	smss.exe
1012	smss.exe
1012	smss.exe
1012	smss.exe
1012	smss.exe
1012	smss.exe
1012	smss.exe
1012	smss.exe
1012	smss.exe
1012	smss.exe
1012	smss.exe
1012	smss.exe
1012	smss.exe
1012	smss.exe
1012	smss.exe
1012	smss.exe
1012	smss.exe
1012	smss.exe
1012	smss.exe
1012	smss.exe
1012	smss.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	604	powershell.exe
Token: SeDebugPrivilege	528	powershell.exe
Token: SeDebugPrivilege	848	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	1012	smss.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	672	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	1412	smss.exe
Token: SeDebugPrivilege	1416	smss.exe
Token: SeDebugPrivilege	2892	smss.exe
Token: SeDebugPrivilege	1644	smss.exe
Token: SeDebugPrivilege	1324	smss.exe
Token: SeDebugPrivilege	2788	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2928	2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe	38
PID 2692 wrote to memory of 2928	2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe	38
PID 2692 wrote to memory of 2928	2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe	38
PID 2692 wrote to memory of 2144	2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe	39
PID 2692 wrote to memory of 2144	2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe	39
PID 2692 wrote to memory of 2144	2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe	39
PID 2692 wrote to memory of 3000	2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe	40
PID 2692 wrote to memory of 3000	2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe	40
PID 2692 wrote to memory of 3000	2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe	40
PID 2692 wrote to memory of 2888	2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe	41
PID 2692 wrote to memory of 2888	2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe	41
PID 2692 wrote to memory of 2888	2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe	41
PID 2692 wrote to memory of 2280	2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe	42
PID 2692 wrote to memory of 2280	2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe	42
PID 2692 wrote to memory of 2280	2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe	42
PID 2692 wrote to memory of 604	2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe	43
PID 2692 wrote to memory of 604	2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe	43
PID 2692 wrote to memory of 604	2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe	43
PID 2692 wrote to memory of 528	2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe	44
PID 2692 wrote to memory of 528	2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe	44
PID 2692 wrote to memory of 528	2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe	44
PID 2692 wrote to memory of 2848	2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe	45
PID 2692 wrote to memory of 2848	2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe	45
PID 2692 wrote to memory of 2848	2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe	45
PID 2692 wrote to memory of 672	2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe	46
PID 2692 wrote to memory of 672	2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe	46
PID 2692 wrote to memory of 672	2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe	46
PID 2692 wrote to memory of 2924	2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe	47
PID 2692 wrote to memory of 2924	2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe	47
PID 2692 wrote to memory of 2924	2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe	47
PID 2692 wrote to memory of 848	2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe	48
PID 2692 wrote to memory of 848	2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe	48
PID 2692 wrote to memory of 848	2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe	48
PID 2692 wrote to memory of 2856	2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe	49
PID 2692 wrote to memory of 2856	2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe	49
PID 2692 wrote to memory of 2856	2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe	49
PID 2692 wrote to memory of 1012	2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe	62
PID 2692 wrote to memory of 1012	2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe	62
PID 2692 wrote to memory of 1012	2692	7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe	62
PID 1012 wrote to memory of 348	1012	smss.exe	63
PID 1012 wrote to memory of 348	1012	smss.exe	63
PID 1012 wrote to memory of 348	1012	smss.exe	63
PID 1012 wrote to memory of 1408	1012	smss.exe	64
PID 1012 wrote to memory of 1408	1012	smss.exe	64
PID 1012 wrote to memory of 1408	1012	smss.exe	64
PID 348 wrote to memory of 1412	348	WScript.exe	65
PID 348 wrote to memory of 1412	348	WScript.exe	65
PID 348 wrote to memory of 1412	348	WScript.exe	65
PID 1412 wrote to memory of 988	1412	smss.exe	66
PID 1412 wrote to memory of 988	1412	smss.exe	66
PID 1412 wrote to memory of 988	1412	smss.exe	66
PID 1412 wrote to memory of 2516	1412	smss.exe	67
PID 1412 wrote to memory of 2516	1412	smss.exe	67
PID 1412 wrote to memory of 2516	1412	smss.exe	67
PID 988 wrote to memory of 1416	988	WScript.exe	68
PID 988 wrote to memory of 1416	988	WScript.exe	68
PID 988 wrote to memory of 1416	988	WScript.exe	68
PID 1416 wrote to memory of 1836	1416	smss.exe	69
PID 1416 wrote to memory of 1836	1416	smss.exe	69
PID 1416 wrote to memory of 1836	1416	smss.exe	69
PID 1416 wrote to memory of 996	1416	smss.exe	70
PID 1416 wrote to memory of 996	1416	smss.exe	70
PID 1416 wrote to memory of 996	1416	smss.exe	70
PID 1836 wrote to memory of 2892	1836	WScript.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe
"C:\Users\Admin\AppData\Local\Temp\7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397ceaN.exe"
1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2856
- C:\MSOCache\All Users\smss.exe
  "C:\MSOCache\All Users\smss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1012
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10852d3b-add0-4453-a387-588c9e2c4ea8.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:348
  - - C:\MSOCache\All Users\smss.exe
      "C:\MSOCache\All Users\smss.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1412
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2195264f-b08d-42b2-a4ee-7399b150632d.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:988
      - C:\MSOCache\All Users\smss.exe
        
        "C:\MSOCache\All Users\smss.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22811d90-2741-4bea-82f8-197ed4ca9ec9.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\MSOCache\All Users\smss.exe
        
        "C:\MSOCache\All Users\smss.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f03c31e8-3ccb-433e-8f8a-cfe256da7737.vbs"
        9⤵
        
        PID:2144
        
        C:\MSOCache\All Users\smss.exe
        
        "C:\MSOCache\All Users\smss.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6635e69f-fe5c-46a8-8b43-25363ed7cc04.vbs"
        11⤵
        
        PID:1248
        
        C:\MSOCache\All Users\smss.exe
        
        "C:\MSOCache\All Users\smss.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2740393f-945f-4a69-8e18-2ad6d1c8a27b.vbs"
        13⤵
        
        PID:1640
        
        C:\MSOCache\All Users\smss.exe
        
        "C:\MSOCache\All Users\smss.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b69a5576-dc49-44a1-bdcc-e9dd40430b37.vbs"
        15⤵
        
        PID:2244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afaefcd2-b894-4c43-b0e1-883089ca94c0.vbs"
        15⤵
        
        PID:2364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e96f8be-f24c-49aa-8358-68413610838d.vbs"
        13⤵
        
        PID:1296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83300fcb-0c71-429e-8c7d-2c0baefc6fdf.vbs"
        11⤵
        
        PID:2104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f22428cc-9a45-485a-9f1c-a2e612b9cbe6.vbs"
        9⤵
        
        PID:3056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a6b1269-9f3b-432b-a1ef-aa1bbd493a27.vbs"
        7⤵
        
        PID:996
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4cd4710d-1b7b-42cb-ba48-e848bfbfebe1.vbs"
        5⤵
        
        PID:2516
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\512ef7b5-c242-4aab-9b52-2e91de1fe4f3.vbs"
    3⤵
    PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\smss.exe

Filesize
1.7MB

MD5
9ce9d3275b7ccba6432966d42bd276e9

SHA1
25717330a3181886307ad40af72b60f9667cfd82

SHA256
5a498487ca4f318698b6a012bd7940b0d03393595e26fb17dd6a23c229766cd3

SHA512
09c05240708deec4a0b33fb4f2390f029fa1b14d02eb7a2d2b10593b955258990126712de23fc9bb2c4efccafe2940410b96fb72084ac6554b1956bbbfa3dd64

Download Submit
C:\MSOCache\All Users\sppsvc.exe

Filesize
1.7MB

MD5
9d6fd4119977f8cbcc627015ec074b70

SHA1
3a08d83ca46e9ecbf3fd883b63937ea794aef410

SHA256
7ab53d9063a99fe6b38d630bc1c7bc333827d3db4bef404881208c95f4397cea

SHA512
8d68579ad5299a5f9a57d535e749606dd21851c1fa670fa0820efc21d431d25ea6977c54a3cdea9f243663852a6043c988848cc73748b85473509d09fa2f7760

Download Submit
C:\Users\Admin\AppData\Local\Temp\10852d3b-add0-4453-a387-588c9e2c4ea8.vbs

Filesize
706B

MD5
52c5ddeac091d4428a8345b9a7d5d590

SHA1
5f12aac2c75ed210bd554804d0425e3f6ff1aac8

SHA256
9c0c26ca37520558ca72ba57403addfb734f35f960d3b1fcaebaa72724659024

SHA512
887fc094d788a0fd9f3e089fedea92332d428e1a4214c4d5b44a19db79a32dce49895f6520fe41534cbf17b0768c91f59280ef6b003bca18b11481e1bafffa24

Download Submit
C:\Users\Admin\AppData\Local\Temp\2195264f-b08d-42b2-a4ee-7399b150632d.vbs

Filesize
706B

MD5
4ee675528597a48bad5710fcd363b687

SHA1
a0150a2080a50f48b9eca685a46a2ef2e76d7988

SHA256
eabfd7da1c16f16a481be1150d4df1062d727c90f21a4439f73bb2d497f3e2b4

SHA512
9cbfa9737df9da0834bb132cad655a084c2950b5901d1e193a0a02747056bc81540e6f9dfea460ee9141cf5bba37d946fa91a83f1b8a8827d89f7347e9c9aa2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\22811d90-2741-4bea-82f8-197ed4ca9ec9.vbs

Filesize
706B

MD5
52048e50476369d69db3c2718ccf2390

SHA1
f8808d8117dba75915a165c284aaca0452f8b7a7

SHA256
97f58fe3cfd4ea8bc623586782d63677ef64397ddfea3a4bb3ce7f57cec141c4

SHA512
c238bb617b776df12a773b0451a44b27288f215cef92792c91e85e1978af2c844a8c9c3af3767c269cf50e1e4b3aef5ba2c5e4cb4707e348eb67212c34d8bd8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2740393f-945f-4a69-8e18-2ad6d1c8a27b.vbs

Filesize
706B

MD5
61e71e5a83663c35212fb496e2b32e39

SHA1
af875d224853f876f644379ab15403af8b6d9297

SHA256
ef8451c56cbe9eab446a58fbe8c0f59219489e9da86846e5657fed1174d4be1e

SHA512
d6690e3d47eff765b4d2e2e81aa602c7bd67cda21229753cca39a2287e2c53f2180d61b008a3044eb7ee6da108167a81234c088f5b8689ca38cd8d30b40f52c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\512ef7b5-c242-4aab-9b52-2e91de1fe4f3.vbs

Filesize
482B

MD5
bfdce2aec16eb2eafcbb2759dd590aa0

SHA1
3d490e57d0959ffb58a390bc81f6c3d23ac7ce44

SHA256
b318c99b21e712ebba299057c7902122831fe1b270bb663517b85a033e6bfe36

SHA512
55294af84105a69d96cbf8dc89ab6ba977ac00f9afe328629f121fcd8d957aa3b05d88329857c2956d66bbcb6c3324fc3f4aebf28b71ed268c3681e061745b36

Download Submit
C:\Users\Admin\AppData\Local\Temp\6635e69f-fe5c-46a8-8b43-25363ed7cc04.vbs

Filesize
706B

MD5
e2888e3bd6c1ec77978daf55a4ab4778

SHA1
48cfa95d0e3ea95ceff47fb36b68f9ca0ad2d824

SHA256
68acb909a2db442e3e9ac92a9ba4e8db7af1e89da6031df22457d09160bf44f3

SHA512
f00970d90bad5c3f832dc63e6a6cfa95dc5ff8ea534f996019e1ecac83ebc3ce83dc6a7cab685da9c2ceef2c8eea6050c5eea19422a4e83b536298594fd6af2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\b69a5576-dc49-44a1-bdcc-e9dd40430b37.vbs

Filesize
706B

MD5
cf7a27ee245744ae98d616d4c33dbbd6

SHA1
4b5ec45881df83a61df85ad74afa3224b446626c

SHA256
a973468b514e173650ceb02d11dfe4b623217734844f3a311df14c58cdf7741e

SHA512
42a12d1881fd060fe74ce4d3ae4582fe58e5deb79bd2825ac68b50bb24a5c8a8a97c664fdca5fa78b8f9c86f0de7a183a9a18f901db930fbba259f4405af2bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\f03c31e8-3ccb-433e-8f8a-cfe256da7737.vbs

Filesize
706B

MD5
be9f8efccbadf56d0ab2f908ce6ababf

SHA1
6cd95e0eb1e623b08285c7a70580c0d7c837d66c

SHA256
a6abfcc7e931eb9f13f391b905b7c1807875aa47ee75dde0069b8a1f446e4e0c

SHA512
c19cf29f7ac0b4bdc0ebb87e125fd8529072e9bd90a1e27f6818b900879456ec669fdbdcc7ae6a2b3e744fdcad0a8d0acaefa3a86b6a1ea128052603a886d0e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5ed64dbd157109883a0e139b7c218383

SHA1
dafa6066f1d0a92b99ed6bcbc6967b87af8ebd57

SHA256
5a6ffe2694f2081e214b1b1b65240e7dfcb5f228f7c386deb0df3f6e48dbe152

SHA512
aea5967643fc964fe067b2ff248eeef0b2b3b06a12d9d02299850351363e336947eb77803d0dea9da137b66d683b74006746d958f81eed2dc9f89edb08dec6a3

Download Submit
memory/604-86-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/1012-82-0x0000000000AD0000-0x0000000000C90000-memory.dmp

Filesize
1.8MB

Download
memory/1324-177-0x0000000000C00000-0x0000000000DC0000-memory.dmp

Filesize
1.8MB

Download
memory/1412-131-0x0000000001230000-0x00000000013F0000-memory.dmp

Filesize
1.8MB

Download
memory/1644-165-0x0000000000310000-0x00000000004D0000-memory.dmp

Filesize
1.8MB

Download
memory/2692-9-0x00000000004C0000-0x00000000004C8000-memory.dmp

Filesize
32KB

Download
memory/2692-15-0x0000000000640000-0x0000000000648000-memory.dmp

Filesize
32KB

Download
memory/2692-0-0x000007FEF61F3000-0x000007FEF61F4000-memory.dmp

Filesize
4KB

Download
memory/2692-14-0x0000000000630000-0x000000000063E000-memory.dmp

Filesize
56KB

Download
memory/2692-13-0x0000000000620000-0x000000000062A000-memory.dmp

Filesize
40KB

Download
memory/2692-12-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/2692-11-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/2692-120-0x000007FEF61F0000-0x000007FEF6BDC000-memory.dmp

Filesize
9.9MB

Download
memory/2692-7-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download
memory/2692-16-0x0000000000650000-0x000000000065C000-memory.dmp

Filesize
48KB

Download
memory/2692-1-0x0000000000A90000-0x0000000000C50000-memory.dmp

Filesize
1.8MB

Download
memory/2692-18-0x000007FEF61F0000-0x000007FEF6BDC000-memory.dmp

Filesize
9.9MB

Download
memory/2692-8-0x00000000004B0000-0x00000000004BC000-memory.dmp

Filesize
48KB

Download
memory/2692-6-0x0000000000490000-0x00000000004A6000-memory.dmp

Filesize
88KB

Download
memory/2692-5-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/2692-17-0x0000000000A80000-0x0000000000A8C000-memory.dmp

Filesize
48KB

Download
memory/2692-4-0x0000000000260000-0x0000000000268000-memory.dmp

Filesize
32KB

Download
memory/2692-3-0x0000000000240000-0x000000000025C000-memory.dmp

Filesize
112KB

Download
memory/2692-2-0x000007FEF61F0000-0x000007FEF6BDC000-memory.dmp

Filesize
9.9MB

Download
memory/2788-189-0x0000000000E40000-0x0000000001000000-memory.dmp

Filesize
1.8MB

Download
memory/2788-190-0x00000000004E0000-0x00000000004F2000-memory.dmp

Filesize
72KB

Download
memory/3000-101-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download