dcrat | 240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84

Analysis

max time kernel
106s
max time network
125s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19/12/2024, 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
Size

1.7MB
MD5

50699c5914ac35c234c6b67e35dc8db0
SHA1

e563907f1f99293ef2e71b8beb673e7e4404ee5a
SHA256

240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84
SHA512

081a456d5dfc28a833558b0fb9ed23f8b1196016f92937091db02a898a71724c2871c7f909eae3d35d6e4f8cf646e3f6cf4cb6191bc25820beeaab4737506a1b
SSDEEP

49152:T+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:+THUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2284	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	2284	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2284	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2284	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	2284	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	2284	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2284	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2284	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2284	schtasks.exe	29

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2808-1-0x0000000001080000-0x0000000001240000-memory.dmp	dcrat
behavioral1/files/0x000500000001960c-29.dat	dcrat
behavioral1/files/0x00050000000197fd-38.dat	dcrat
behavioral1/files/0x000e000000012264-49.dat	dcrat
behavioral1/memory/2528-108-0x0000000000AC0000-0x0000000000C80000-memory.dmp	dcrat
behavioral1/memory/2292-169-0x0000000000390000-0x0000000000550000-memory.dmp	dcrat
behavioral1/memory/2688-181-0x0000000000B30000-0x0000000000CF0000-memory.dmp	dcrat
behavioral1/files/0x00060000000186c3-193.dat	dcrat
behavioral1/files/0x000b00000001960c-197.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2488	powershell.exe
2300	powershell.exe
2892	powershell.exe
2932	powershell.exe
2628	powershell.exe
1952	powershell.exe
2212	powershell.exe
1692	powershell.exe
1704	powershell.exe
2508	powershell.exe
1360	powershell.exe
2228	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe

Executes dropped EXE 6 IoCs

pid	Process
2528	csrss.exe
3052	csrss.exe
2856	csrss.exe
2192	csrss.exe
2292	csrss.exe
2688	csrss.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\886983d96e3d3e	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
File opened for modification	C:\Program Files\7-Zip\RCXE1A.tmp	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
File opened for modification	C:\Program Files\7-Zip\RCXE2B.tmp	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
File opened for modification	C:\Program Files\7-Zip\csrss.exe	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
File created	C:\Program Files\7-Zip\csrss.exe	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\L2Schemas\24dbde2999530e	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
File opened for modification	C:\Windows\L2Schemas\RCX908.tmp	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
File opened for modification	C:\Windows\Fonts\RCXB99.tmp	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
File created	C:\Windows\L2Schemas\WmiPrvSE.exe	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
File opened for modification	C:\Windows\L2Schemas\WmiPrvSE.exe	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
File created	C:\Windows\Fonts\dllhost.exe	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
File created	C:\Windows\Fonts\5940a34987c991	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
File opened for modification	C:\Windows\L2Schemas\RCX985.tmp	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
File opened for modification	C:\Windows\Fonts\RCXC07.tmp	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
File opened for modification	C:\Windows\Fonts\dllhost.exe	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2760	schtasks.exe
1184	schtasks.exe
2884	schtasks.exe
1188	schtasks.exe
2256	schtasks.exe
2756	schtasks.exe
2936	schtasks.exe
872	schtasks.exe
3016	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2228	powershell.exe
1692	powershell.exe
2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2892	powershell.exe
2488	powershell.exe
2300	powershell.exe
2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
2932	powershell.exe
1952	powershell.exe
1704	powershell.exe
1360	powershell.exe
2628	powershell.exe
2212	powershell.exe
2508	powershell.exe
2528	csrss.exe
2528	csrss.exe
2528	csrss.exe
2528	csrss.exe
2528	csrss.exe
2528	csrss.exe
2528	csrss.exe
2528	csrss.exe
2528	csrss.exe
2528	csrss.exe
2528	csrss.exe
2528	csrss.exe
2528	csrss.exe
2528	csrss.exe
2528	csrss.exe
2528	csrss.exe
2528	csrss.exe
2528	csrss.exe
2528	csrss.exe
2528	csrss.exe
2528	csrss.exe
2528	csrss.exe
2528	csrss.exe
2528	csrss.exe
2528	csrss.exe
2528	csrss.exe
2528	csrss.exe
2528	csrss.exe
2528	csrss.exe
2528	csrss.exe
2528	csrss.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	2528	csrss.exe
Token: SeDebugPrivilege	3052	csrss.exe
Token: SeDebugPrivilege	2856	csrss.exe
Token: SeDebugPrivilege	2192	csrss.exe
Token: SeDebugPrivilege	2292	csrss.exe
Token: SeDebugPrivilege	2688	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2932	2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	39
PID 2808 wrote to memory of 2932	2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	39
PID 2808 wrote to memory of 2932	2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	39
PID 2808 wrote to memory of 1704	2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	40
PID 2808 wrote to memory of 1704	2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	40
PID 2808 wrote to memory of 1704	2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	40
PID 2808 wrote to memory of 1692	2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	42
PID 2808 wrote to memory of 1692	2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	42
PID 2808 wrote to memory of 1692	2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	42
PID 2808 wrote to memory of 2892	2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	43
PID 2808 wrote to memory of 2892	2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	43
PID 2808 wrote to memory of 2892	2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	43
PID 2808 wrote to memory of 2300	2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	44
PID 2808 wrote to memory of 2300	2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	44
PID 2808 wrote to memory of 2300	2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	44
PID 2808 wrote to memory of 2228	2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	45
PID 2808 wrote to memory of 2228	2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	45
PID 2808 wrote to memory of 2228	2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	45
PID 2808 wrote to memory of 1360	2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	46
PID 2808 wrote to memory of 1360	2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	46
PID 2808 wrote to memory of 1360	2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	46
PID 2808 wrote to memory of 2488	2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	47
PID 2808 wrote to memory of 2488	2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	47
PID 2808 wrote to memory of 2488	2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	47
PID 2808 wrote to memory of 2212	2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	48
PID 2808 wrote to memory of 2212	2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	48
PID 2808 wrote to memory of 2212	2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	48
PID 2808 wrote to memory of 1952	2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	49
PID 2808 wrote to memory of 1952	2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	49
PID 2808 wrote to memory of 1952	2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	49
PID 2808 wrote to memory of 2508	2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	50
PID 2808 wrote to memory of 2508	2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	50
PID 2808 wrote to memory of 2508	2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	50
PID 2808 wrote to memory of 2628	2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	51
PID 2808 wrote to memory of 2628	2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	51
PID 2808 wrote to memory of 2628	2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	51
PID 2808 wrote to memory of 2528	2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	63
PID 2808 wrote to memory of 2528	2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	63
PID 2808 wrote to memory of 2528	2808	240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe	63
PID 2528 wrote to memory of 2256	2528	csrss.exe	64
PID 2528 wrote to memory of 2256	2528	csrss.exe	64
PID 2528 wrote to memory of 2256	2528	csrss.exe	64
PID 2528 wrote to memory of 3048	2528	csrss.exe	65
PID 2528 wrote to memory of 3048	2528	csrss.exe	65
PID 2528 wrote to memory of 3048	2528	csrss.exe	65
PID 2256 wrote to memory of 3052	2256	WScript.exe	66
PID 2256 wrote to memory of 3052	2256	WScript.exe	66
PID 2256 wrote to memory of 3052	2256	WScript.exe	66
PID 3052 wrote to memory of 1596	3052	csrss.exe	67
PID 3052 wrote to memory of 1596	3052	csrss.exe	67
PID 3052 wrote to memory of 1596	3052	csrss.exe	67
PID 3052 wrote to memory of 2164	3052	csrss.exe	68
PID 3052 wrote to memory of 2164	3052	csrss.exe	68
PID 3052 wrote to memory of 2164	3052	csrss.exe	68
PID 1596 wrote to memory of 2856	1596	WScript.exe	69
PID 1596 wrote to memory of 2856	1596	WScript.exe	69
PID 1596 wrote to memory of 2856	1596	WScript.exe	69
PID 2856 wrote to memory of 2972	2856	csrss.exe	70
PID 2856 wrote to memory of 2972	2856	csrss.exe	70
PID 2856 wrote to memory of 2972	2856	csrss.exe	70
PID 2856 wrote to memory of 1704	2856	csrss.exe	71
PID 2856 wrote to memory of 1704	2856	csrss.exe	71
PID 2856 wrote to memory of 1704	2856	csrss.exe	71
PID 2972 wrote to memory of 2192	2972	WScript.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe
"C:\Users\Admin\AppData\Local\Temp\240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84N.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2628
- C:\Program Files\7-Zip\csrss.exe
  "C:\Program Files\7-Zip\csrss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8bf82f45-d8ea-4f38-adbc-396f33b88cb7.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2256
  - - C:\Program Files\7-Zip\csrss.exe
      "C:\Program Files\7-Zip\csrss.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3052
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce1c3f35-8402-4849-8337-53d976b5b0c6.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1596
      - C:\Program Files\7-Zip\csrss.exe
        
        "C:\Program Files\7-Zip\csrss.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c91ae1c2-a1db-45e2-8747-e99d1e099dae.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Program Files\7-Zip\csrss.exe
        
        "C:\Program Files\7-Zip\csrss.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c641c67-58f0-4c40-a133-8744a32d9170.vbs"
        9⤵
        
        PID:856
        
        C:\Program Files\7-Zip\csrss.exe
        
        "C:\Program Files\7-Zip\csrss.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5baa91df-5971-4b80-8717-4b029b81ae2c.vbs"
        11⤵
        
        PID:1188
        
        C:\Program Files\7-Zip\csrss.exe
        
        "C:\Program Files\7-Zip\csrss.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8913a869-bee6-46bc-b41d-494116a1b218.vbs"
        13⤵
        
        PID:976
        
        C:\Program Files\7-Zip\csrss.exe
        
        "C:\Program Files\7-Zip\csrss.exe"
        14⤵
        
        PID:2660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd31a632-0812-4e51-94dd-cb454e3864ef.vbs"
        15⤵
        
        PID:1596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\832e7f52-01d7-4db3-9b5a-cc6a3c6c59cf.vbs"
        15⤵
        
        PID:2856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\933f134f-ee2f-4b72-93a8-e7cbadabf4e4.vbs"
        13⤵
        
        PID:1920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dee8e19a-36b8-41b5-b6ef-8881443f3334.vbs"
        11⤵
        
        PID:2984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37637949-4a74-4f2b-9a95-6aeefe0b0962.vbs"
        9⤵
        
        PID:1300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd5e0bb7-fc03-473f-873e-4a99a9456e11.vbs"
        7⤵
        
        PID:1704
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60ce1adc-7451-4e45-a658-b7eaac51cc59.vbs"
        5⤵
        
        PID:2164
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1118ab37-314b-4c73-8ad3-10284897ee1b.vbs"
    3⤵
    PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\L2Schemas\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\L2Schemas\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\L2Schemas\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\Fonts\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Fonts\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Fonts\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\csrss.exe

Filesize
1.1MB

MD5
27851e135faf1dc093cf064e4a4e0027

SHA1
cfe409f8257824b83c5a3dc1aa05f2d43434520f

SHA256
02cc99b316521c5595ab9b759f807683f0c5a84119b04e193d307eeb22c0471f

SHA512
26217826931f752037823d7e52fa06948f099841cdd48497d65a46fd37509d13450857007d6a06eb600ecffc32ce01bea0b0a2447c5ff7fc0dc83e1b8f3d21d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1118ab37-314b-4c73-8ad3-10284897ee1b.vbs

Filesize
484B

MD5
f2e22a28dadcc9f4eabd32d66dfa3d1a

SHA1
0bd1503c88595548e17a4551f575061565252fb8

SHA256
a904ff9bfd0dc4c8490478fedbf0d498c3dda357db80e6b7ebaaaacf7d9b005c

SHA512
5141c87df771a97576b073aad1c096be6d64b1f942d3f4ade815fbffc96df0727649b4fa6be139ec212509c33e112fd6e93c6cc1b3683e11748b3982bcac8982

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f6a4ee872bff8ed69fa5f3dbaf531c5bb992f07.exe

Filesize
1.1MB

MD5
f83512b0c66fa31643b1ee217cdc1a04

SHA1
dbf70740ae56fdcea23642428e930d8caa965655

SHA256
56170269a9599c0e2defbfcf62a0e8eb3c91e7bd430a9623009383b23a72dee2

SHA512
b5a045b9ea5d788ca8d23ab43367a536f13a90c5c50335a9590c6a625ac9974d52d598ba9661c1cf70db68d4eebcbad87a6f4e46514d496dcc539c2bf6b815c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\5baa91df-5971-4b80-8717-4b029b81ae2c.vbs

Filesize
708B

MD5
c3abd4e52f2f34e583fc0264f2958f6c

SHA1
a9967727916ff01cf985d150c9a980a56c9bf1cd

SHA256
033884e0fd266a10674edef2ad74c040d771e078d6f6319cc2951f082f07f615

SHA512
b43298a22ca61f4fb566a1097bbb6be9a19232d932cc026fbb1c2aa9a638e26c20e7272b48e5e9c505f52e807755940b7356d4692605ecadaf67a7548ed18d38

Download Submit
C:\Users\Admin\AppData\Local\Temp\6c641c67-58f0-4c40-a133-8744a32d9170.vbs

Filesize
708B

MD5
e3447fa2f222e104f35b98600855da4c

SHA1
2f78a03b900779e8f1103f11276e6c420b14fec3

SHA256
13993c8c4e7155f4da5560b4e56b35466ca5ba584fab7a5ec58836cd3d092dcf

SHA512
d109ebb7d87cbafbd7da16261feb042f27e9fd05760eab023fe5c73585b9539b725a4e8a9772b5ea018430f68108c901f1f04b5b731f06ba97562b6dc89f3b2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8913a869-bee6-46bc-b41d-494116a1b218.vbs

Filesize
708B

MD5
3c08034479fa6a392fcc97a60b3b0aea

SHA1
801a4d4dc24130e7ded43b18e458c1429c6de12a

SHA256
2fe0bd96766c5b3915458213e0479c876f273605584706fb200a2d5881fc9e88

SHA512
cdba3f7469258905e99b4754038130046ecddbed19c1adcdfa0ea8d6f8510fd26b93df51f332bba3a440628ff9e21f01701b7b909c3661138513597eba12ef34

Download Submit
C:\Users\Admin\AppData\Local\Temp\8bf82f45-d8ea-4f38-adbc-396f33b88cb7.vbs

Filesize
708B

MD5
ec9df742b1f81b699cf6bda239a19ff1

SHA1
613fa8816322acabf3cbb7474ada9cde2e653d94

SHA256
3ecb18ccd578f459eb7fc586930ba0a7bd7a990ee91c4679f65b200cb0bf021e

SHA512
6bf13ff1889cde968dd1749f1d55d39c5619234917a890b0f47f8e37d6f6884c65c9d9a669d8e7f14e39ca33f269939c48ccde79b7e88bfdb281b0bf23ba07d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCX6E5.tmp

Filesize
1.7MB

MD5
50699c5914ac35c234c6b67e35dc8db0

SHA1
e563907f1f99293ef2e71b8beb673e7e4404ee5a

SHA256
240c067a9459024c61a46fe053ca99130e303f0d6239e385f8a2ff26ed52ef84

SHA512
081a456d5dfc28a833558b0fb9ed23f8b1196016f92937091db02a898a71724c2871c7f909eae3d35d6e4f8cf646e3f6cf4cb6191bc25820beeaab4737506a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c91ae1c2-a1db-45e2-8747-e99d1e099dae.vbs

Filesize
708B

MD5
8ad452aeba34861768ea1934953bbba7

SHA1
ac9b05efca431f29e1eb9c36e4c666a9cfd225fc

SHA256
0b495316699c97efcf3775f590c37d6a0f1e49f7397f505aaf297ac6c1d7545b

SHA512
8548a091ae98680b1f7369464e02bf0b0ab5ffb1cbee35dc341cb2c330a3fef161bf56f346b856b8e21125118b4ddfafaac9d57996586299c7ce9bb5ef749751

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd31a632-0812-4e51-94dd-cb454e3864ef.vbs

Filesize
708B

MD5
c02edbeb0ffc7a325655adc8159205ad

SHA1
f4d114ae92eb29a1376dfbe0fd68a9a1e8e583c0

SHA256
464f3a5f6df0b0a01f5744bafaa4594fd722314cf4622df73d11a56b2ea176ad

SHA512
b9c0873ecc7cb342487ece01950c219cb032e92ebdc7d1666797ac2567542dd9b6645d37a0cfdae285fc2994e417a9eef520420d967b0d929e15ce1be1302c0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce1c3f35-8402-4849-8337-53d976b5b0c6.vbs

Filesize
708B

MD5
f7d37436ce191033947d706f4ba69863

SHA1
dad19225e4178db5b6a4af14f550f85a1bdb7fc4

SHA256
427cbb7c914fdb472912cc37dedbfee79e87733a9a970cae57259c03de4377a4

SHA512
16283829edac726ef3cb774f1d45b7d8e91a3d7dd413f015b5a9786a53861f4b46787d35ab3b82e989eb7090a8a91bcd6c2e0f20310f0176942de0608f65b767

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
40a1f66cc6a298102d5d322f428114fe

SHA1
0871e630f435de60ce58979c2b9e6e4a6919f37e

SHA256
16b3802357ad75bd34601c6f6ee09cdc04ab9f1e3923cd0f8a3b760b50c893a9

SHA512
14e4e4c3efd588837afe674ecf6b0a11e3b18d2d090a2ab03785df3d9264753ae2037f0052b1d67538c0ba43cad4e52c7b3baae17540eefc21b1837e3eedd9e0

Download Submit
C:\Windows\Fonts\dllhost.exe

Filesize
1.7MB

MD5
a5db83fe826a93272faed588895c13c8

SHA1
793565c716f7da7bfecae4353b830cc514ff608e

SHA256
eada7b706d5c789eff23093199e80b4708dcf082c1efd39e1e6bb90e80928221

SHA512
d19a7e318257f72e2f39dd95a99fac8845e2591660cebbeddbe2055e0cc03ae550d6a8e9e2926511f45ec97e4b90e562c8d2e3a2e63ba2d4fd019d1645966b69

Download Submit
C:\Windows\L2Schemas\WmiPrvSE.exe

Filesize
1.7MB

MD5
9d0ca5e4b65e70014f28f924e7ed54a0

SHA1
8e7414a621b34f91f7c31e86982b257f3ce08c8e

SHA256
82ef567629bef15edd218fb908c2dfd9c972cb091ab0dc6e852a0198e8983b79

SHA512
c216bad1a0fab25abeadd65e4b3b7df52e271612e576579dbbf3ba91b0913848d85af821c2da6c3998aeb3432ef31d880b57697b10c393bddd95a8ca79fdf39e

Download Submit
memory/1692-79-0x0000000001F90000-0x0000000001F98000-memory.dmp

Filesize
32KB

Download
memory/2292-169-0x0000000000390000-0x0000000000550000-memory.dmp

Filesize
1.8MB

Download
memory/2528-108-0x0000000000AC0000-0x0000000000C80000-memory.dmp

Filesize
1.8MB

Download
memory/2688-182-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/2688-181-0x0000000000B30000-0x0000000000CF0000-memory.dmp

Filesize
1.8MB

Download
memory/2808-124-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Filesize
9.9MB

Download
memory/2808-6-0x0000000000680000-0x0000000000696000-memory.dmp

Filesize
88KB

Download
memory/2808-1-0x0000000001080000-0x0000000001240000-memory.dmp

Filesize
1.8MB

Download
memory/2808-16-0x0000000000B70000-0x0000000000B7C000-memory.dmp

Filesize
48KB

Download
memory/2808-12-0x0000000000700000-0x000000000070C000-memory.dmp

Filesize
48KB

Download
memory/2808-13-0x0000000000B40000-0x0000000000B4A000-memory.dmp

Filesize
40KB

Download
memory/2808-17-0x0000000000B80000-0x0000000000B8C000-memory.dmp

Filesize
48KB

Download
memory/2808-9-0x00000000006C0000-0x00000000006C8000-memory.dmp

Filesize
32KB

Download
memory/2808-11-0x00000000006D0000-0x00000000006E2000-memory.dmp

Filesize
72KB

Download
memory/2808-2-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Filesize
9.9MB

Download
memory/2808-8-0x00000000006B0000-0x00000000006BC000-memory.dmp

Filesize
48KB

Download
memory/2808-0-0x000007FEF5F03000-0x000007FEF5F04000-memory.dmp

Filesize
4KB

Download
memory/2808-7-0x00000000006A0000-0x00000000006B0000-memory.dmp

Filesize
64KB

Download
memory/2808-14-0x0000000000B50000-0x0000000000B5E000-memory.dmp

Filesize
56KB

Download
memory/2808-4-0x00000000004E0000-0x00000000004E8000-memory.dmp

Filesize
32KB

Download
memory/2808-20-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Filesize
9.9MB

Download
memory/2808-15-0x0000000000B60000-0x0000000000B68000-memory.dmp

Filesize
32KB

Download
memory/2808-5-0x0000000000670000-0x0000000000680000-memory.dmp

Filesize
64KB

Download
memory/2808-3-0x0000000000440000-0x000000000045C000-memory.dmp

Filesize
112KB

Download
memory/2892-78-0x000000001B330000-0x000000001B612000-memory.dmp

Filesize
2.9MB

Download
memory/3052-135-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download