dcrat | 6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2025 10:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe
Size

1.5MB
MD5

7b81efb209e9196c7cc9fcd1dec94fe0
SHA1

fd7f106b9ff78b24f103ed478c67648e392f4de5
SHA256

6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07
SHA512

60a7a9bafb1920dd1ade5fdcd659e5f8f6150143352b2ac7a708e95010fb89c9532f3d7e4cfd17850da60ded76c66af3d62f4f0d464a15869b13a488f2d81269
SSDEEP

24576:dbfESdvMj6hoGDAQsJ+N6XcHQWq3QY2SrXQLdok0OjYS4mej+T1kJCv:ZEi6GDAQORcwW5/oBjme81

Score

10^/10

dcrat execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\lsass.exe\", \"C:\\Windows\\schemas\\Provisioning\\fontdrvhost.exe\", \"C:\\Users\\Admin\\StartMenuExperienceHost.exe\", \"C:\\ProgramData\\Microsoft OneDrive\\setup\\csrss.exe\""	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\lsass.exe\", \"C:\\Windows\\schemas\\Provisioning\\fontdrvhost.exe\", \"C:\\Users\\Admin\\StartMenuExperienceHost.exe\", \"C:\\ProgramData\\Microsoft OneDrive\\setup\\csrss.exe\", \"C:\\Program Files\\Common Files\\Services\\OfficeClickToRun.exe\""	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\lsass.exe\", \"C:\\Windows\\schemas\\Provisioning\\fontdrvhost.exe\", \"C:\\Users\\Admin\\StartMenuExperienceHost.exe\", \"C:\\ProgramData\\Microsoft OneDrive\\setup\\csrss.exe\", \"C:\\Program Files\\Common Files\\Services\\OfficeClickToRun.exe\", \"C:\\Users\\Admin\\Cookies\\sihost.exe\""	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\lsass.exe\""	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\lsass.exe\", \"C:\\Windows\\schemas\\Provisioning\\fontdrvhost.exe\""	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\lsass.exe\", \"C:\\Windows\\schemas\\Provisioning\\fontdrvhost.exe\", \"C:\\Users\\Admin\\StartMenuExperienceHost.exe\""	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	4424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	4424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	244	4424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	4424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4224	4424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	4424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	4424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3596	4424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	4424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	4424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3608	4424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3192	4424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3956	4424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	4424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	4424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	4424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3936	4424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3156	4424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	4424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	4424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	4424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	4424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	4424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3300	4424	schtasks.exe	83

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2692	powershell.exe
4364	powershell.exe
3772	powershell.exe
4864	powershell.exe
5096	powershell.exe
1132	powershell.exe
4580	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	sihost.exe

Executes dropped EXE 2 IoCs

pid	Process
3112	sihost.exe
2560	sihost.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\ProgramData\\Microsoft OneDrive\\setup\\csrss.exe\""	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\Services\\OfficeClickToRun.exe\""	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Users\\Admin\\Cookies\\sihost.exe\""	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\lsass.exe\""	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\schemas\\Provisioning\\fontdrvhost.exe\""	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\Admin\\StartMenuExperienceHost.exe\""	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Services\RCXD5C4.tmp	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe
File opened for modification	C:\Program Files\Common Files\Services\OfficeClickToRun.exe	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\lsass.exe	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\lsass.exe	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\6203df4a6bafc7	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe
File created	C:\Program Files\Common Files\Services\OfficeClickToRun.exe	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe
File created	C:\Program Files\Common Files\Services\e6c9b481da804f	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\RCXCCB7.tmp	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\schemas\Provisioning\fontdrvhost.exe	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe
File created	C:\Windows\schemas\Provisioning\5b884080fd4f94	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe
File opened for modification	C:\Windows\schemas\Provisioning\RCXCEDB.tmp	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe
File opened for modification	C:\Windows\schemas\Provisioning\fontdrvhost.exe	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	sihost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4928	schtasks.exe
2592	schtasks.exe
3936	schtasks.exe
4784	schtasks.exe
884	schtasks.exe
3596	schtasks.exe
1424	schtasks.exe
3608	schtasks.exe
2860	schtasks.exe
2252	schtasks.exe
2144	schtasks.exe
244	schtasks.exe
2424	schtasks.exe
4224	schtasks.exe
4712	schtasks.exe
1052	schtasks.exe
320	schtasks.exe
3300	schtasks.exe
4768	schtasks.exe
3192	schtasks.exe
3956	schtasks.exe
3156	schtasks.exe
4688	schtasks.exe
4848	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1576	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe
4580	powershell.exe
2692	powershell.exe
4364	powershell.exe
5096	powershell.exe
3772	powershell.exe
4864	powershell.exe
2692	powershell.exe
2692	powershell.exe
1132	powershell.exe
1132	powershell.exe
4580	powershell.exe
5096	powershell.exe
4364	powershell.exe
3772	powershell.exe
3772	powershell.exe
4864	powershell.exe
4864	powershell.exe
1132	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1576	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	4364	powershell.exe
Token: SeDebugPrivilege	5096	powershell.exe
Token: SeDebugPrivilege	4864	powershell.exe
Token: SeDebugPrivilege	3772	powershell.exe
Token: SeDebugPrivilege	1132	powershell.exe
Token: SeDebugPrivilege	3112	sihost.exe
Token: SeDebugPrivilege	2560	sihost.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 4364	1576	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe	109
PID 1576 wrote to memory of 4364	1576	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe	109
PID 1576 wrote to memory of 3772	1576	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe	110
PID 1576 wrote to memory of 3772	1576	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe	110
PID 1576 wrote to memory of 4864	1576	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe	111
PID 1576 wrote to memory of 4864	1576	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe	111
PID 1576 wrote to memory of 5096	1576	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe	112
PID 1576 wrote to memory of 5096	1576	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe	112
PID 1576 wrote to memory of 1132	1576	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe	113
PID 1576 wrote to memory of 1132	1576	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe	113
PID 1576 wrote to memory of 4580	1576	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe	114
PID 1576 wrote to memory of 4580	1576	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe	114
PID 1576 wrote to memory of 2692	1576	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe	115
PID 1576 wrote to memory of 2692	1576	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe	115
PID 1576 wrote to memory of 1588	1576	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe	123
PID 1576 wrote to memory of 1588	1576	6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe	123
PID 1588 wrote to memory of 4416	1588	cmd.exe	125
PID 1588 wrote to memory of 4416	1588	cmd.exe	125
PID 1588 wrote to memory of 3112	1588	cmd.exe	132
PID 1588 wrote to memory of 3112	1588	cmd.exe	132
PID 3112 wrote to memory of 5104	3112	sihost.exe	133
PID 3112 wrote to memory of 5104	3112	sihost.exe	133
PID 3112 wrote to memory of 1644	3112	sihost.exe	134
PID 3112 wrote to memory of 1644	3112	sihost.exe	134
PID 5104 wrote to memory of 2560	5104	WScript.exe	144
PID 5104 wrote to memory of 2560	5104	WScript.exe	144

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe
"C:\Users\Admin\AppData\Local\Temp\6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\schemas\Provisioning\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft OneDrive\setup\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Services\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2692
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hxvYZ0BYfj.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4416
- - C:\Users\Admin\Cookies\sihost.exe
    "C:\Users\Admin\Cookies\sihost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3112
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89889b28-1558-4513-9289-391bf57620bf.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5104
    - - C:\Users\Admin\Cookies\sihost.exe
        
        C:\Users\Admin\Cookies\sihost.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4fbd2e0-d09b-4014-896b-5665e04af4ce.vbs"
      4⤵
      PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "JVWZlsass" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PeEAlsass" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b1R2lsass" /sc ONSTART /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "UsPTfontdrvhost" /sc MINUTE /mo 13 /tr "'C:\Windows\schemas\Provisioning\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Clovfontdrvhost" /sc ONLOGON /tr "'C:\Windows\schemas\Provisioning\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "oMXIfontdrvhost" /sc ONSTART /tr "'C:\Windows\schemas\Provisioning\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc MINUTE /mo 11 /tr "'C:\Windows\schemas\Provisioning\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WpErStartMenuExperienceHost" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "uDUaStartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Admin\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9SPhStartMenuExperienceHost" /sc ONSTART /tr "'C:\Users\Admin\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "H9H6csrss" /sc MINUTE /mo 5 /tr "'C:\ProgramData\Microsoft OneDrive\setup\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wd3fcsrss" /sc ONLOGON /tr "'C:\ProgramData\Microsoft OneDrive\setup\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SdYycsrss" /sc ONSTART /tr "'C:\ProgramData\Microsoft OneDrive\setup\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc MINUTE /mo 11 /tr "'C:\ProgramData\Microsoft OneDrive\setup\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "iSaWOfficeClickToRun" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\Services\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "F3JhOfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d6u0OfficeClickToRun" /sc ONSTART /tr "'C:\Program Files\Common Files\Services\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\Services\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PIYesihost" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Cookies\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ULRbsihost" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "FGQmsihost" /sc ONSTART /tr "'C:\Users\Admin\Cookies\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Cookies\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Services\OfficeClickToRun.exe

Filesize
1.5MB

MD5
7b81efb209e9196c7cc9fcd1dec94fe0

SHA1
fd7f106b9ff78b24f103ed478c67648e392f4de5

SHA256
6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07

SHA512
60a7a9bafb1920dd1ade5fdcd659e5f8f6150143352b2ac7a708e95010fb89c9532f3d7e4cfd17850da60ded76c66af3d62f4f0d464a15869b13a488f2d81269

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

Filesize
1KB

MD5
3ad9a5252966a3ab5b1b3222424717be

SHA1
5397522c86c74ddbfb2585b9613c794f4b4c3410

SHA256
27525f5fc7871c6828ab5173315e95b5c7e918d2ee532781c562c378584b5249

SHA512
b1a745f7a0f33b777ffc34f74f42752144d9f2d06b8bc613e703570494762b3af87e153212c3274b18af14f17b8619e2f350b7c3cc11228f7d4208d4251e90e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe

Filesize
1.5MB

MD5
22fc2ce0dc9a55464c7377f89dd299b1

SHA1
fd6139576ad51b8a8624269629c204918af5bc43

SHA256
9e2ea2265dd297fa580760a502cd2db9ede88aaf810eb57a757b698282774d1d

SHA512
a1486b208a520eb0e9c2710c12d12d45145365c4fc8606917c946045d46862c5ccf96a53ea90798a78fd26c846e9812b496109216eeaf90b24416e8519f060cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\89889b28-1558-4513-9289-391bf57620bf.vbs

Filesize
709B

MD5
327a1cf93e933886d8589b35ecfadcda

SHA1
4e581a807a9e7f97ca84c4493de87fa0eb41eb9d

SHA256
251bae6f2088bc31e9074fa917fa976bca0dd962213fb2c593986ccda99bbf91

SHA512
e32cc99b774b7e45c6dc138dab4ecfc8affcf2ac7d81a06805dd837ac9a1330ae62204d15f059f9ae147b2f0b9767fc232e50ff3e2e34259efe0cc30cc9f729f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ssg0kc1p.kg1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4fbd2e0-d09b-4014-896b-5665e04af4ce.vbs

Filesize
485B

MD5
f733f0eac2a3bcf9c55576bf7b2c25fe

SHA1
d6ceb33aa4031bf8a0c721515bd611af3f513363

SHA256
40d360642e0130e92bf268454ded94a6788416820f0cd8ac899b122fea4da39c

SHA512
affd2abbdcbeefc2b1d9ec84a932aa3fe4c89ca5d56a6abc9850a7c2d5afa45c4318dc2b609479b1459094abcdf94a44d1d9abfaad15c0fe3da494e44934d864

Download Submit
C:\Users\Admin\AppData\Local\Temp\hxvYZ0BYfj.bat

Filesize
197B

MD5
82f26f2f73b413c5b0fefa4afdeb2400

SHA1
6c15d8e9d20b3fe6784e75ec3269ca08bc23ddf5

SHA256
41461898ff5ca1c8c15c505104e2d4bb2bc874e4fbd1f809ab21f642864c6db7

SHA512
751ec09c617cc0a86dbe28ca5c90197d3dee533a2700178b0f659f73b05ce14df7931ca141838c7440d1ca6651013c4026196afa7dea3313784e6662f5d4c1e2

Download Submit
memory/1576-8-0x000000001B4E0000-0x000000001B4F0000-memory.dmp

Filesize
64KB

Download
memory/1576-3-0x0000000002940000-0x000000000295C000-memory.dmp

Filesize
112KB

Download
memory/1576-14-0x000000001B530000-0x000000001B53C000-memory.dmp

Filesize
48KB

Download
memory/1576-9-0x000000001B4D0000-0x000000001B4DC000-memory.dmp

Filesize
48KB

Download
memory/1576-0-0x00007FF8470A3000-0x00007FF8470A5000-memory.dmp

Filesize
8KB

Download
memory/1576-1-0x00000000006F0000-0x000000000087C000-memory.dmp

Filesize
1.5MB

Download
memory/1576-119-0x00007FF8470A0000-0x00007FF847B61000-memory.dmp

Filesize
10.8MB

Download
memory/1576-12-0x000000001B510000-0x000000001B51C000-memory.dmp

Filesize
48KB

Download
memory/1576-10-0x000000001B4F0000-0x000000001B4FC000-memory.dmp

Filesize
48KB

Download
memory/1576-7-0x0000000002AA0000-0x0000000002AB2000-memory.dmp

Filesize
72KB

Download
memory/1576-4-0x000000001BB70000-0x000000001BBC0000-memory.dmp

Filesize
320KB

Download
memory/1576-6-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/1576-5-0x0000000002A80000-0x0000000002A90000-memory.dmp

Filesize
64KB

Download
memory/1576-13-0x000000001B520000-0x000000001B52A000-memory.dmp

Filesize
40KB

Download
memory/1576-11-0x000000001B500000-0x000000001B50A000-memory.dmp

Filesize
40KB

Download
memory/1576-2-0x00007FF8470A0000-0x00007FF847B61000-memory.dmp

Filesize
10.8MB

Download
memory/2560-171-0x0000000002DC0000-0x0000000002DD2000-memory.dmp

Filesize
72KB

Download
memory/2692-74-0x00000271FE3A0000-0x00000271FE3C2000-memory.dmp

Filesize
136KB

Download
memory/3112-158-0x00000000029A0000-0x00000000029B2000-memory.dmp

Filesize
72KB

Download
memory/3112-157-0x00000000004B0000-0x000000000063C000-memory.dmp

Filesize
1.5MB

Download