dcrat | be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2

Analysis

max time kernel
120s
max time network
114s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-01-2025 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
Size

1.7MB
MD5

5571c1c959664fea2858b3aeb11f3748
SHA1

e457759fa2e6dba172fa8fba428ebe7462c7fcb3
SHA256

be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2
SHA512

2cd7c9f59b5875258036167fa8a0c0104f64df510d95c4e87bf013056601a9db3c643b22e564c38e72868b6925b11e51aa8832078e7002e56b8e279331ac9be8
SSDEEP

49152:T+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvY:+THUxUoh1IF9gl2b

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2184	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2184	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2184	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2184	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2184	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2184	schtasks.exe	30

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1620-1-0x0000000001080000-0x0000000001240000-memory.dmp	dcrat
behavioral1/files/0x00090000000120f9-29.dat	dcrat
behavioral1/files/0x0008000000017570-48.dat	dcrat
behavioral1/memory/1640-118-0x0000000000CE0000-0x0000000000EA0000-memory.dmp	dcrat
behavioral1/memory/1692-140-0x0000000000020000-0x00000000001E0000-memory.dmp	dcrat
behavioral1/memory/1660-153-0x00000000009B0000-0x0000000000B70000-memory.dmp	dcrat
behavioral1/memory/2356-165-0x0000000000E70000-0x0000000001030000-memory.dmp	dcrat
behavioral1/memory/2804-177-0x00000000012F0000-0x00000000014B0000-memory.dmp	dcrat
behavioral1/memory/2068-189-0x00000000003F0000-0x00000000005B0000-memory.dmp	dcrat
behavioral1/memory/2308-202-0x0000000001180000-0x0000000001340000-memory.dmp	dcrat
behavioral1/files/0x00070000000175f1-218.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1436	powershell.exe
1740	powershell.exe
2024	powershell.exe
2000	powershell.exe
1624	powershell.exe
1884	powershell.exe
2624	powershell.exe
1976	powershell.exe
280	powershell.exe
2036	powershell.exe
2276	powershell.exe
2992	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe

Executes dropped EXE 9 IoCs

pid	Process
1640	WmiPrvSE.exe
3044	WmiPrvSE.exe
1692	WmiPrvSE.exe
1660	WmiPrvSE.exe
2356	WmiPrvSE.exe
2804	WmiPrvSE.exe
2068	WmiPrvSE.exe
2308	WmiPrvSE.exe
2056	WmiPrvSE.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\WmiPrvSE.exe	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\WmiPrvSE.exe	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\24dbde2999530e	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\RCX9E37.tmp	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\RCX9EA5.tmp	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2912	schtasks.exe
2616	schtasks.exe
2776	schtasks.exe
2796	schtasks.exe
2732	schtasks.exe
2588	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
1436	powershell.exe
1976	powershell.exe
1740	powershell.exe
2276	powershell.exe
2036	powershell.exe
2000	powershell.exe
1624	powershell.exe
2024	powershell.exe
2992	powershell.exe
1884	powershell.exe
2624	powershell.exe
280	powershell.exe
1640	WmiPrvSE.exe
1640	WmiPrvSE.exe
1640	WmiPrvSE.exe
1640	WmiPrvSE.exe
1640	WmiPrvSE.exe
1640	WmiPrvSE.exe
1640	WmiPrvSE.exe
1640	WmiPrvSE.exe
1640	WmiPrvSE.exe
1640	WmiPrvSE.exe
1640	WmiPrvSE.exe
1640	WmiPrvSE.exe
1640	WmiPrvSE.exe
1640	WmiPrvSE.exe
1640	WmiPrvSE.exe
1640	WmiPrvSE.exe
1640	WmiPrvSE.exe
1640	WmiPrvSE.exe
1640	WmiPrvSE.exe
1640	WmiPrvSE.exe
1640	WmiPrvSE.exe
1640	WmiPrvSE.exe
1640	WmiPrvSE.exe
1640	WmiPrvSE.exe
1640	WmiPrvSE.exe
1640	WmiPrvSE.exe
1640	WmiPrvSE.exe
1640	WmiPrvSE.exe
1640	WmiPrvSE.exe
1640	WmiPrvSE.exe
1640	WmiPrvSE.exe
1640	WmiPrvSE.exe
1640	WmiPrvSE.exe
1640	WmiPrvSE.exe
1640	WmiPrvSE.exe
1640	WmiPrvSE.exe
1640	WmiPrvSE.exe
1640	WmiPrvSE.exe
1640	WmiPrvSE.exe
1640	WmiPrvSE.exe
1640	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	280	powershell.exe
Token: SeDebugPrivilege	1640	WmiPrvSE.exe
Token: SeDebugPrivilege	3044	WmiPrvSE.exe
Token: SeDebugPrivilege	1692	WmiPrvSE.exe
Token: SeDebugPrivilege	1660	WmiPrvSE.exe
Token: SeDebugPrivilege	2356	WmiPrvSE.exe
Token: SeDebugPrivilege	2804	WmiPrvSE.exe
Token: SeDebugPrivilege	2068	WmiPrvSE.exe
Token: SeDebugPrivilege	2308	WmiPrvSE.exe
Token: SeDebugPrivilege	2056	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 2624	1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	37
PID 1620 wrote to memory of 2624	1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	37
PID 1620 wrote to memory of 2624	1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	37
PID 1620 wrote to memory of 2992	1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	38
PID 1620 wrote to memory of 2992	1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	38
PID 1620 wrote to memory of 2992	1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	38
PID 1620 wrote to memory of 2276	1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	40
PID 1620 wrote to memory of 2276	1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	40
PID 1620 wrote to memory of 2276	1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	40
PID 1620 wrote to memory of 1884	1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	42
PID 1620 wrote to memory of 1884	1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	42
PID 1620 wrote to memory of 1884	1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	42
PID 1620 wrote to memory of 1436	1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	43
PID 1620 wrote to memory of 1436	1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	43
PID 1620 wrote to memory of 1436	1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	43
PID 1620 wrote to memory of 2036	1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	45
PID 1620 wrote to memory of 2036	1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	45
PID 1620 wrote to memory of 2036	1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	45
PID 1620 wrote to memory of 1740	1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	47
PID 1620 wrote to memory of 1740	1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	47
PID 1620 wrote to memory of 1740	1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	47
PID 1620 wrote to memory of 2000	1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	48
PID 1620 wrote to memory of 2000	1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	48
PID 1620 wrote to memory of 2000	1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	48
PID 1620 wrote to memory of 2024	1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	49
PID 1620 wrote to memory of 2024	1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	49
PID 1620 wrote to memory of 2024	1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	49
PID 1620 wrote to memory of 1624	1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	50
PID 1620 wrote to memory of 1624	1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	50
PID 1620 wrote to memory of 1624	1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	50
PID 1620 wrote to memory of 280	1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	51
PID 1620 wrote to memory of 280	1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	51
PID 1620 wrote to memory of 280	1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	51
PID 1620 wrote to memory of 1976	1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	53
PID 1620 wrote to memory of 1976	1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	53
PID 1620 wrote to memory of 1976	1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	53
PID 1620 wrote to memory of 668	1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	61
PID 1620 wrote to memory of 668	1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	61
PID 1620 wrote to memory of 668	1620	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	61
PID 668 wrote to memory of 908	668	cmd.exe	63
PID 668 wrote to memory of 908	668	cmd.exe	63
PID 668 wrote to memory of 908	668	cmd.exe	63
PID 668 wrote to memory of 1640	668	cmd.exe	64
PID 668 wrote to memory of 1640	668	cmd.exe	64
PID 668 wrote to memory of 1640	668	cmd.exe	64
PID 1640 wrote to memory of 2784	1640	WmiPrvSE.exe	65
PID 1640 wrote to memory of 2784	1640	WmiPrvSE.exe	65
PID 1640 wrote to memory of 2784	1640	WmiPrvSE.exe	65
PID 1640 wrote to memory of 2604	1640	WmiPrvSE.exe	66
PID 1640 wrote to memory of 2604	1640	WmiPrvSE.exe	66
PID 1640 wrote to memory of 2604	1640	WmiPrvSE.exe	66
PID 2784 wrote to memory of 3044	2784	WScript.exe	68
PID 2784 wrote to memory of 3044	2784	WScript.exe	68
PID 2784 wrote to memory of 3044	2784	WScript.exe	68
PID 3044 wrote to memory of 1376	3044	WmiPrvSE.exe	69
PID 3044 wrote to memory of 1376	3044	WmiPrvSE.exe	69
PID 3044 wrote to memory of 1376	3044	WmiPrvSE.exe	69
PID 3044 wrote to memory of 2564	3044	WmiPrvSE.exe	70
PID 3044 wrote to memory of 2564	3044	WmiPrvSE.exe	70
PID 3044 wrote to memory of 2564	3044	WmiPrvSE.exe	70
PID 1376 wrote to memory of 1692	1376	WScript.exe	71
PID 1376 wrote to memory of 1692	1376	WScript.exe	71
PID 1376 wrote to memory of 1692	1376	WScript.exe	71
PID 1692 wrote to memory of 680	1692	WmiPrvSE.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
"C:\Users\Admin\AppData\Local\Temp\be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1976
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nDdOsbL9Ya.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:908
- - C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\WmiPrvSE.exe
    "C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\WmiPrvSE.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6425251f-bbf7-4734-bfa4-b4a838b3d3a5.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\WmiPrvSE.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3044
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fae5d357-0d12-4722-b6f5-36af60148190.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\WmiPrvSE.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09dddab6-699f-43b7-8414-9426e2c79ce1.vbs"
        8⤵
        
        PID:680
        
        C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\WmiPrvSE.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d59fff5-d684-436a-b106-0e35a6ce090b.vbs"
        10⤵
        
        PID:1948
        
        C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\WmiPrvSE.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f739fb9-f5f2-45c3-ac13-bb4b1fce17c1.vbs"
        12⤵
        
        PID:2840
        
        C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\WmiPrvSE.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc9dbd25-0e45-429b-9ee5-2937f863f0f4.vbs"
        14⤵
        
        PID:988
        
        C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\WmiPrvSE.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b79f9f2f-654c-4259-90ac-a1c73e1f9574.vbs"
        16⤵
        
        PID:3048
        
        C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\WmiPrvSE.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c665649-f708-4a2a-ae19-0f35a109d987.vbs"
        18⤵
        
        PID:2112
        
        C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\WmiPrvSE.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11cc5b37-a754-4a90-bc52-2b8aa6e7995e.vbs"
        20⤵
        
        PID:2620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6dc8608b-5371-488f-8c03-a40c70cf440c.vbs"
        20⤵
        
        PID:2544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6ad7d7d-c140-4719-8ba8-21b9cec0d4ab.vbs"
        18⤵
        
        PID:2372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08bbe434-f194-4e75-a534-37d2a4d14c95.vbs"
        16⤵
        
        PID:236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\971c5df5-b60c-418d-b6ab-36013c4b5827.vbs"
        14⤵
        
        PID:1896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5d3f5f1-80ce-4688-8dd2-ef70aee8e088.vbs"
        12⤵
        
        PID:2688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b671c11-4ec9-42ac-a25f-0860f6c22f74.vbs"
        10⤵
        
        PID:2480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c98a835d-0d9a-45f7-9e28-e41ae5849d15.vbs"
        8⤵
        
        PID:2328
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\414e4385-ad54-4f15-bd48-b90b7b9c7912.vbs"
        6⤵
        
        PID:2564
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81a48cec-0baa-498d-ab6a-7fd39e40c870.vbs"
      4⤵
      PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\WmiPrvSE.exe

Filesize
1.7MB

MD5
d6557be27e095096a46c3b6e7537919b

SHA1
de673186340bc6d3b8346844235bedd006752363

SHA256
a5776b19909b4e9d8f980830a35c6e5dde0f5c79ca4ec47ef37bf89918b96009

SHA512
ee6a93d0a0b66ef10a974b9dbf6ee6ac49421033ca068c2226aa79812bebf1273954e068b62a237e255c6e6ee8bd0b47479743608e905906b8e60d78bea85349

Download Submit
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\System.exe

Filesize
1.7MB

MD5
5571c1c959664fea2858b3aeb11f3748

SHA1
e457759fa2e6dba172fa8fba428ebe7462c7fcb3

SHA256
be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2

SHA512
2cd7c9f59b5875258036167fa8a0c0104f64df510d95c4e87bf013056601a9db3c643b22e564c38e72868b6925b11e51aa8832078e7002e56b8e279331ac9be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\09dddab6-699f-43b7-8414-9426e2c79ce1.vbs

Filesize
745B

MD5
1b1cae004b58e89fc008477dc3bdd1bd

SHA1
6c1382456a567dead37df5dbbd8c0a560297da7a

SHA256
1d1c8c03f5d6da9714e22280c72bb6447a5349b38749e43c444e9781a93c7c3f

SHA512
4eab9b1ef1d1dd111c890ff90ff2bf336d7a89dc9bd62daac0544f70bd163ac0692faae9fc3a27a7354a8b6b17b87b8d53e3812697029fff330508cbabbac4fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\11cc5b37-a754-4a90-bc52-2b8aa6e7995e.vbs

Filesize
745B

MD5
edc896ce3c2fadecd0b14fe5642a5a84

SHA1
723a4cfea877dbd5f0bb7a9c23dfc77cd96c2424

SHA256
363d95f231baf929b41ebeb1e6895f6d224a3ef6ba09aeea94b2e2047e23cd83

SHA512
4b33811498a391b78a6021ed394f98a6c095d87e6d01df2614153ec2a58f8d217a9b5e3ccb01bdf1be0aa6043b1c136b3b3984043e611d269b7743adb4e34887

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c665649-f708-4a2a-ae19-0f35a109d987.vbs

Filesize
745B

MD5
10d091852a8b2b525c9e40a9af60bf91

SHA1
69f3fd91070d1ca6df97ee3e8a55b29008044038

SHA256
e62e5ebb5d45f1fa7c56663c97d5f03525be830e7ea8242799a29741fea0ea73

SHA512
c4d6a8e542d4bdff3be927ccb2ca46ead8aa59e2b21cc38c80fd6eb30151adbd1951ff25f398e05a3a6aeb8c8abd9d8dee847a1c63ef5a3a4dcc9a5dc84c61f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5f739fb9-f5f2-45c3-ac13-bb4b1fce17c1.vbs

Filesize
745B

MD5
7984f2ca6cc04528479a8cf7241f6a69

SHA1
59c439e3402aa886a22f98422a24af4bf720cc06

SHA256
a439a2115deeb9645dae7d0ee30918e01a91dab427bd03b45fcea353dddb5fb7

SHA512
33420c458b52b9019e1d271cea4c0b9b7e66885cab73c56a094330f9344425c816cdcfbc3f88bb17046165d65c7e68c7921e3127373e1b99d347743b63dabc26

Download Submit
C:\Users\Admin\AppData\Local\Temp\6425251f-bbf7-4734-bfa4-b4a838b3d3a5.vbs

Filesize
745B

MD5
67087660174250db08a60cac601d01c4

SHA1
872ec24b0d6484de251be8f8bf1f57ef736d2ca3

SHA256
234d79703a87220f07b307d5d5122651262e27c49119a8ffdf7e13d7be359f4d

SHA512
c572ea954b1f7c4ebf9caa2775eb7011968e8755d157f45af8c23b4f7e2ec887808e2c23c54a23df6c1b181ff7d168327e033af214c288a7229cc355d4125644

Download Submit
C:\Users\Admin\AppData\Local\Temp\6bef106d264164600b6cfe5293022524b7a60ed6.exe

Filesize
812KB

MD5
53ecd5bcb62e2098594a7d4c8d4b3334

SHA1
c98841b9c96a4433723bbac860c3b4aa75246b4b

SHA256
d5216a0727a63425baf78e74b6016d60d59fac1941ae75d11b184149836c9bb7

SHA512
7ed35f77a5dc2e7ece4cf329f00c76b6397885d8c26b38d6c1aac5938d11bb6ab4df516f5c353c787a3e596d7169aab3d0e7e0407db6fd5f9c599b2d9d1e3e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d59fff5-d684-436a-b106-0e35a6ce090b.vbs

Filesize
745B

MD5
65a45a602e5fff72251d817d758ad1e9

SHA1
0c6955964cf18a1d4b664c28454c3cdedb72a8a3

SHA256
19d3c6f29af4b451db3df9def6d406084e9ecf31ec17f4202fd4d8656ecc5572

SHA512
d8c853f9535c5c06ed5784927d65740d7255b70a543008d97cf45a5b14851abe6ce6a4dd0b57c11020841f5411a5c1f73137e471dc94d4dbed02da8c670b8fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\81a48cec-0baa-498d-ab6a-7fd39e40c870.vbs

Filesize
521B

MD5
2ec9c13ae2dda17b57065b7ca1972c13

SHA1
bd54ef446edd889c467834754a9c53812a528593

SHA256
786f7df3bb06e4c89852665014d9ffe562b119a75563f52b2b5294bf65e525e1

SHA512
d524fd92134d957353aece352e19c5f570f9588ec26447e450852aae63269dbe8d8978dc029d39a4fc9ffeca03ac3bf87aa8cad7754d8026597a1c28f1dea107

Download Submit
C:\Users\Admin\AppData\Local\Temp\b79f9f2f-654c-4259-90ac-a1c73e1f9574.vbs

Filesize
745B

MD5
0c0fed29512da303c58d480655485b9e

SHA1
fdbab04195ad6d6873de2c0653ebe58eb8b9365e

SHA256
baf138da4c6dbffed24465f7b199bdfe6ecd0824ec47f675f4ea66b102003cf8

SHA512
c55355b351568948855548f032d8be30b3b1df95d36f533836c8843b5fbc4fc2733717b675d4b5b84514041f8b96045c36c7e94b12ae5d5692b80e7dc3092c73

Download Submit
C:\Users\Admin\AppData\Local\Temp\fae5d357-0d12-4722-b6f5-36af60148190.vbs

Filesize
745B

MD5
6213da8db205e24df7ab64a77877a38c

SHA1
71c9302e711c88eec0327fced5951e97e7714b5c

SHA256
2ca0ba16bd63d61bdc37c375209781919be833d2cef8b08137d2c7074fa57165

SHA512
ad7bf568e59c4da7112128b18f83d3995e9312a5426fb8ccd642c8f1ea5e10963b0991ae9f5cd1b3e85b4ed5aa522c204d7558700faa9ca960092e263f27da77

Download Submit
C:\Users\Admin\AppData\Local\Temp\fc9dbd25-0e45-429b-9ee5-2937f863f0f4.vbs

Filesize
745B

MD5
40a1e99bdb9a75417c85b3daeba34f98

SHA1
c01886dac7bfd7c981ed5f7c58972042cc0053fd

SHA256
de884c36b69495271ec364527bfe5881c1242909c582f1cff4d7d5ac555a5644

SHA512
8b8b407b31fe4b27049686e9ce92598104e844a06cc42ab13d131afe2910d8afa8edce3840b41e18fab16fa931e65fe279047fc01bb9a9a49d5629ae24616156

Download Submit
C:\Users\Admin\AppData\Local\Temp\nDdOsbL9Ya.bat

Filesize
234B

MD5
5fffc6f2d308fc11580adc66b819d2ba

SHA1
899c9a2ec0bcb9d85c2a56f6eab3631560bd0f99

SHA256
f8180c1d82852454887e3de8956bba760d954e2a89144cc4427b259a6e551911

SHA512
c4de638d4a107ebd8be3f6c4ea89c2a79d8cde0b11f53d053ced5a2aad67077633f41d3464471f625d6622b45b5b8ee60f95c56f299611fa90a1dd02974826d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
83ef8fdd71593738b83712afe105c205

SHA1
1357d32f7426fd6086c81c15788575f7cfb3302e

SHA256
ec1d392981665dc061ed735ca28682ccfbddac9435a618b3a679d08f291a1d04

SHA512
c6bfcfde0325ca507bf62f519f148f36e7b426c2d5ddb2e5c6b9f34c519258e84c1d7b77aa715e2d50fd537eaf1284300b27e91e172593e76c380a7eb89f9b63

Download Submit
memory/1436-67-0x0000000002220000-0x0000000002228000-memory.dmp

Filesize
32KB

Download
memory/1436-66-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/1620-5-0x0000000000A60000-0x0000000000A70000-memory.dmp

Filesize
64KB

Download
memory/1620-12-0x0000000000B50000-0x0000000000B5C000-memory.dmp

Filesize
48KB

Download
memory/1620-8-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

Filesize
48KB

Download
memory/1620-13-0x0000000000C20000-0x0000000000C2A000-memory.dmp

Filesize
40KB

Download
memory/1620-1-0x0000000001080000-0x0000000001240000-memory.dmp

Filesize
1.8MB

Download
memory/1620-0-0x000007FEF58F3000-0x000007FEF58F4000-memory.dmp

Filesize
4KB

Download
memory/1620-14-0x0000000000C00000-0x0000000000C0E000-memory.dmp

Filesize
56KB

Download
memory/1620-88-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

Filesize
9.9MB

Download
memory/1620-16-0x0000000000C30000-0x0000000000C3C000-memory.dmp

Filesize
48KB

Download
memory/1620-17-0x0000000000E50000-0x0000000000E5C000-memory.dmp

Filesize
48KB

Download
memory/1620-11-0x0000000000B40000-0x0000000000B52000-memory.dmp

Filesize
72KB

Download
memory/1620-7-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/1620-2-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

Filesize
9.9MB

Download
memory/1620-3-0x00000000009F0000-0x0000000000A0C000-memory.dmp

Filesize
112KB

Download
memory/1620-15-0x0000000000C10000-0x0000000000C18000-memory.dmp

Filesize
32KB

Download
memory/1620-20-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

Filesize
9.9MB

Download
memory/1620-9-0x0000000000B30000-0x0000000000B38000-memory.dmp

Filesize
32KB

Download
memory/1620-4-0x0000000000A10000-0x0000000000A18000-memory.dmp

Filesize
32KB

Download
memory/1620-6-0x0000000000A70000-0x0000000000A86000-memory.dmp

Filesize
88KB

Download
memory/1640-118-0x0000000000CE0000-0x0000000000EA0000-memory.dmp

Filesize
1.8MB

Download
memory/1660-153-0x00000000009B0000-0x0000000000B70000-memory.dmp

Filesize
1.8MB

Download
memory/1692-141-0x0000000002050000-0x0000000002062000-memory.dmp

Filesize
72KB

Download
memory/1692-140-0x0000000000020000-0x00000000001E0000-memory.dmp

Filesize
1.8MB

Download
memory/2056-214-0x0000000000B60000-0x0000000000B72000-memory.dmp

Filesize
72KB

Download
memory/2068-189-0x00000000003F0000-0x00000000005B0000-memory.dmp

Filesize
1.8MB

Download
memory/2068-190-0x0000000002120000-0x0000000002132000-memory.dmp

Filesize
72KB

Download
memory/2308-202-0x0000000001180000-0x0000000001340000-memory.dmp

Filesize
1.8MB

Download
memory/2356-165-0x0000000000E70000-0x0000000001030000-memory.dmp

Filesize
1.8MB

Download
memory/2804-177-0x00000000012F0000-0x00000000014B0000-memory.dmp

Filesize
1.8MB

Download