dcrat | 3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714

Resubmissions

14/01/2025, 02:46

250114-c9pv5avjfz 10

14/01/2025, 02:24

250114-cv7sdswpbj 10

Analysis

max time kernel
842s
max time network
842s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/01/2025, 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe
Size

16.0MB
MD5

5aa236eabe65a1e444f1eb31fb330eba
SHA1

b6a8d5362991511526ea5a2b86ad70f05e70652c
SHA256

3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714
SHA512

0ab8e56f1f8a09491d96416bdc2798874ff153ef56c6476cd9eda9fe0744e77f56132073524f1a2719a75d5dea8dcd5706ee1497867f8b3e62c9a52641afc0be
SSDEEP

98304:mjHzjFPB6n2gC9U851tTRIXDNgn+ojsSw9y4Q1vL3NPt:yHHFPgns9BvpyNgnNW4

Score

10^/10

dcrat discovery evasion execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32Local\\csrss.exe\""	DriverbrokerCrtDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32Local\\csrss.exe\", \"C:\\portBrokerDll\\DriverbrokerCrtDhcp.exe\""	DriverbrokerCrtDhcp.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	988	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	988	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	988	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	988	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	988	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	988	schtasks.exe	39

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2812	powershell.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 7 IoCs

pid	Process
2736	XenoSetup(1).exe
2716	Xeno.exe
2148	DriverbrokerCrtDhcp.exe
1028	DriverbrokerCrtDhcp.exe
3104	csrss.exe
2772	DriverbrokerCrtDhcp.exe
880	csrss.exe

Loads dropped DLL 3 IoCs

pid	Process
2144	3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe
2216	cmd.exe
2216	cmd.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\DriverbrokerCrtDhcp = "\"C:\\portBrokerDll\\DriverbrokerCrtDhcp.exe\""	DriverbrokerCrtDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DriverbrokerCrtDhcp = "\"C:\\portBrokerDll\\DriverbrokerCrtDhcp.exe\""	DriverbrokerCrtDhcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\XenoSetup(1) = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XenoSetup(1).exe"	3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32Local\\csrss.exe\""	DriverbrokerCrtDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32Local\\csrss.exe\""	DriverbrokerCrtDhcp.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCE315BEDE318D4B2E8E7AB2ACF6BA3E33.TMP	csc.exe
File created	\??\c:\Windows\System32\dzuhbf.exe	csc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32Local\csrss.exe	DriverbrokerCrtDhcp.exe
File opened for modification	C:\Windows\System32Local\csrss.exe	DriverbrokerCrtDhcp.exe
File created	C:\Windows\System32Local\886983d96e3d3e	DriverbrokerCrtDhcp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XenoSetup(1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2088	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1784	schtasks.exe
688	schtasks.exe
828	schtasks.exe
1096	schtasks.exe
2396	schtasks.exe
2888	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2812	powershell.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe
2148	DriverbrokerCrtDhcp.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	2148	DriverbrokerCrtDhcp.exe
Token: SeDebugPrivilege	1028	DriverbrokerCrtDhcp.exe
Token: SeDebugPrivilege	3104	csrss.exe
Token: SeDebugPrivilege	2772	DriverbrokerCrtDhcp.exe
Token: SeDebugPrivilege	880	csrss.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 2812	2144	3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe	30
PID 2144 wrote to memory of 2812	2144	3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe	30
PID 2144 wrote to memory of 2812	2144	3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe	30
PID 2144 wrote to memory of 2736	2144	3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe	32
PID 2144 wrote to memory of 2736	2144	3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe	32
PID 2144 wrote to memory of 2736	2144	3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe	32
PID 2144 wrote to memory of 2736	2144	3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe	32
PID 2144 wrote to memory of 2736	2144	3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe	32
PID 2144 wrote to memory of 2736	2144	3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe	32
PID 2144 wrote to memory of 2736	2144	3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe	32
PID 2144 wrote to memory of 2716	2144	3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe	33
PID 2144 wrote to memory of 2716	2144	3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe	33
PID 2144 wrote to memory of 2716	2144	3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe	33
PID 2736 wrote to memory of 1856	2736	XenoSetup(1).exe	34
PID 2736 wrote to memory of 1856	2736	XenoSetup(1).exe	34
PID 2736 wrote to memory of 1856	2736	XenoSetup(1).exe	34
PID 2736 wrote to memory of 1856	2736	XenoSetup(1).exe	34
PID 1856 wrote to memory of 2216	1856	WScript.exe	35
PID 1856 wrote to memory of 2216	1856	WScript.exe	35
PID 1856 wrote to memory of 2216	1856	WScript.exe	35
PID 1856 wrote to memory of 2216	1856	WScript.exe	35
PID 2216 wrote to memory of 2088	2216	cmd.exe	37
PID 2216 wrote to memory of 2088	2216	cmd.exe	37
PID 2216 wrote to memory of 2088	2216	cmd.exe	37
PID 2216 wrote to memory of 2088	2216	cmd.exe	37
PID 2216 wrote to memory of 2148	2216	cmd.exe	38
PID 2216 wrote to memory of 2148	2216	cmd.exe	38
PID 2216 wrote to memory of 2148	2216	cmd.exe	38
PID 2216 wrote to memory of 2148	2216	cmd.exe	38
PID 2148 wrote to memory of 884	2148	DriverbrokerCrtDhcp.exe	43
PID 2148 wrote to memory of 884	2148	DriverbrokerCrtDhcp.exe	43
PID 2148 wrote to memory of 884	2148	DriverbrokerCrtDhcp.exe	43
PID 884 wrote to memory of 2756	884	csc.exe	45
PID 884 wrote to memory of 2756	884	csc.exe	45
PID 884 wrote to memory of 2756	884	csc.exe	45
PID 2148 wrote to memory of 2812	2148	DriverbrokerCrtDhcp.exe	46
PID 2148 wrote to memory of 2812	2148	DriverbrokerCrtDhcp.exe	46
PID 2148 wrote to memory of 2812	2148	DriverbrokerCrtDhcp.exe	46
PID 2812 wrote to memory of 2808	2812	csc.exe	48
PID 2812 wrote to memory of 2808	2812	csc.exe	48
PID 2812 wrote to memory of 2808	2812	csc.exe	48
PID 2148 wrote to memory of 1940	2148	DriverbrokerCrtDhcp.exe	52
PID 2148 wrote to memory of 1940	2148	DriverbrokerCrtDhcp.exe	52
PID 2148 wrote to memory of 1940	2148	DriverbrokerCrtDhcp.exe	52
PID 1940 wrote to memory of 2860	1940	cmd.exe	54
PID 1940 wrote to memory of 2860	1940	cmd.exe	54
PID 1940 wrote to memory of 2860	1940	cmd.exe	54
PID 1940 wrote to memory of 1684	1940	cmd.exe	55
PID 1940 wrote to memory of 1684	1940	cmd.exe	55
PID 1940 wrote to memory of 1684	1940	cmd.exe	55
PID 1940 wrote to memory of 1028	1940	cmd.exe	56
PID 1940 wrote to memory of 1028	1940	cmd.exe	56
PID 1940 wrote to memory of 1028	1940	cmd.exe	56
PID 2896 wrote to memory of 3104	2896	taskeng.exe	59
PID 2896 wrote to memory of 3104	2896	taskeng.exe	59
PID 2896 wrote to memory of 3104	2896	taskeng.exe	59
PID 2896 wrote to memory of 2772	2896	taskeng.exe	61
PID 2896 wrote to memory of 2772	2896	taskeng.exe	61
PID 2896 wrote to memory of 2772	2896	taskeng.exe	61
PID 2896 wrote to memory of 880	2896	taskeng.exe	63
PID 2896 wrote to memory of 880	2896	taskeng.exe	63
PID 2896 wrote to memory of 880	2896	taskeng.exe	63

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe
C:\Users\Admin\AppData\Local\Temp\3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XenoSetup(1).exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2812
- C:\Users\Admin\AppData\Local\Temp\XenoSetup(1).exe
  "C:\Users\Admin\AppData\Local\Temp\XenoSetup(1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\portBrokerDll\2jfojLJgRy.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1856
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\portBrokerDll\Ac4k16M5JuZ3cBUzCeuZfRwt20LYrImECkDEo2qhe7JRV.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2216
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2088
    - - C:\portBrokerDll\DriverbrokerCrtDhcp.exe
        
        "C:\portBrokerDll/DriverbrokerCrtDhcp.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2148
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ff1b3bxt\ff1b3bxt.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6A47.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3778DFE98A5D48DCBA8EAC777B3C3795.TMP"
        7⤵
        
        PID:2756
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p25bb52k\p25bb52k.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6AA5.tmp" "c:\Windows\System32\CSCE315BEDE318D4B2E8E7AB2ACF6BA3E33.TMP"
        7⤵
        
        PID:2808
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iuDfx3Qvui.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1684
        
        C:\portBrokerDll\DriverbrokerCrtDhcp.exe
        
        "C:\portBrokerDll\DriverbrokerCrtDhcp.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028
- C:\Users\Admin\AppData\Local\Temp\Xeno.exe
  "C:\Users\Admin\AppData\Local\Temp\Xeno.exe"
  2⤵
  - Executes dropped EXE
  PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\System32Local\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32Local\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\System32Local\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DriverbrokerCrtDhcpD" /sc MINUTE /mo 6 /tr "'C:\portBrokerDll\DriverbrokerCrtDhcp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DriverbrokerCrtDhcp" /sc ONLOGON /tr "'C:\portBrokerDll\DriverbrokerCrtDhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DriverbrokerCrtDhcpD" /sc MINUTE /mo 9 /tr "'C:\portBrokerDll\DriverbrokerCrtDhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\taskeng.exe
taskeng.exe {7B6B8C53-19D9-4A36-8F5B-CA22E4D1B5C3} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\System32Local\csrss.exe
  C:\Windows\System32Local\csrss.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3104
- C:\portBrokerDll\DriverbrokerCrtDhcp.exe
  C:\portBrokerDll\DriverbrokerCrtDhcp.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\Windows\System32Local\csrss.exe
  C:\Windows\System32Local\csrss.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6A47.tmp

Filesize
1KB

MD5
3dd157fa10d4ff93085bce0e145b1ea1

SHA1
6793e9983529669e72d3a7ecfc86c2a4e9b5b27b

SHA256
7da07956c39533daf5808242b95e48f2f4ea738e1291847e664bc2d680146d29

SHA512
a18f6597a39074b519726525cccfc488cc7d4729b9a5fc5efdf93df958ae83f25222a766bec48e3b140bfc124e2675d6329e067bf275b89d896aec10ec80883e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6AA5.tmp

Filesize
1KB

MD5
158ac6a70c899f62976b706c53a3ed4f

SHA1
09d04b1befc470c598036f1e6b46280a31948702

SHA256
25a035af77faf327d81d782fa213a6dc93358cc9afcd9cf5849fc9f8d13eb191

SHA512
219b95e0971b147a69b3465ce8b04e8ecf5cc1bad85d63159b587622871f6e1c5dce229df8382fe9e60f4e9c59a17ef5f6ea2a1da5f369c4532d16256200a4c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XenoSetup(1).exe

Filesize
3.5MB

MD5
bcf49847a74e554a807294d4f5adfa62

SHA1
c6f105b28ac3bc7dd2e4a444cf96edbcdc45febf

SHA256
eae94b757fe5e150f8f1039140feebc969788bd2c0ef7fe2d4675a81f6dc9898

SHA512
489cf5844853a4ba7489386a545d0369e1eca835a70053aa6e408aed7f42eaa26684859ddf50b874c643c53ae050dcd3d1a27e887e413c8db8636818ba7dcdcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\iuDfx3Qvui.bat

Filesize
216B

MD5
02f56b5a744c3fe90c6731cfb0b2f65b

SHA1
178dafd31430842aca06c708165cd4a70a2c16ee

SHA256
68dca621ea0d74c842c3a9f6d83ec72da3416447f050766621f4dbab481e807e

SHA512
e0c3683959211eca4b32d87b8c53f3442fd9eea658255c8f234ca80785f3765fde57eae28cc7c8608bf3d5b83ab1dd3ac8a9c353c21473d77659db47981907a2

Download Submit
C:\portBrokerDll\2jfojLJgRy.vbe

Filesize
237B

MD5
851d51cdee60a57d4aef51ea7f466436

SHA1
34a13967e69d21091850d4f0dffb2bce88c80e0c

SHA256
5d612089c06bbe2b32de8bfcc3e0ba1e0ef2155cd6cde83b280797c6061ca269

SHA512
7fed60da3ed3ff2a26b8b4cadf0cf6cd3e28259a4a7ec7e3ba97509fa47b7ca75753ca49edf2f218ae323830977c2ecdfb2f05b6fa5de303038c31012926e953

Download Submit
C:\portBrokerDll\Ac4k16M5JuZ3cBUzCeuZfRwt20LYrImECkDEo2qhe7JRV.bat

Filesize
194B

MD5
69c0edf85b6d3ab82c42e82ef04f50f7

SHA1
7acb4d2454d9e04db488c2ee4352cfece1b8ae58

SHA256
3041cc5e5c4251ea1eddccaa5d145446719d6e86dcfd3bc40bc23c80b3102ec2

SHA512
04877f967609e6efb4a8c4f99c4130b3894eb223f390d32c6e2248abaf1bdff71f539f122635f18fa432648b927cc597dd7bdaa52284824f8c57c7909f7dca21

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC3778DFE98A5D48DCBA8EAC777B3C3795.TMP

Filesize
1KB

MD5
dc289c30c143fd2f8e608119ae4846a0

SHA1
2f0d6888b80d26d9ff52b5decdd63963255e5113

SHA256
37aac241c050fb90090b36441ae1f198d11a0da4ee5f30e3332673f3c6ecf40a

SHA512
68bffd2b69ee9d5857fc9d5b2a71561a985738b5fe0768fc7dd23a753c976529158042f2a239ffe74ed99b5bd4b469fd2220a990d20a742935f5560a55f2d6fd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ff1b3bxt\ff1b3bxt.0.cs

Filesize
386B

MD5
ec2b2da2434a077948b3588dc8608225

SHA1
16acb74e7244688e66b4c9ecbd65681b0fdfcd03

SHA256
09d74391e24e7492961d4069143bc17fd670327e6be74cdca81626ced76ce700

SHA512
2d04276939bd142e5c442efe29355a1e0e79a7a43e8bcd296dafcf5d30280cfefd5b726a0eec61bdad9a2f574c9bb210b54f3aae47431e11fc23ec4a95bf5c58

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ff1b3bxt\ff1b3bxt.cmdline

Filesize
255B

MD5
19c2e025a977fb83701c98e2c7e0989a

SHA1
8ae67ecf6e58edb5b705fdf53348533ed53b50f1

SHA256
2202d506a93f118262d2ee20e9cebd76a22e6a6be9129a7785fe7b0dc530a078

SHA512
2e68b0eb7f25e34b303ba5bfb2cfe1ada43ec467ebb1d78ad6efe4f521e2d88b66af28fcce98aabba8bdd90b1a138b309dbaf4d33b86e033fdfea2bbc298a3a2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\p25bb52k\p25bb52k.0.cs

Filesize
366B

MD5
c7c7439a185d6de7ffec0151a0dd59ae

SHA1
ba2d27ac46ddf2fa919a7a709ae462ac3bc87b2c

SHA256
148d2d32ddd7bb64982697608eb33b0da0af385692edd22a3e85da6036609b3a

SHA512
5fd83353adb87ec9348f250c634d6390630e95ae94a4bcb770edfc531e2f55b2faacf3c4857965e83f13aafd2e1375ef9ab99012953968506a8bef964a02c43b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\p25bb52k\p25bb52k.cmdline

Filesize
235B

MD5
e73fe40b9f25495f8e3e9fc3325accb4

SHA1
7eb21a7ca772a13ffa64464fd9ea1e0cfc6a8324

SHA256
3332ead91b25af198e2aa74118037650d623d9e740b7710661fcea139ded82b0

SHA512
687a142809b1f108995d1202728faea39f0966ba581cfcfeff70da15f9f4d5843be77f5bfe6ac0e36a8c42206cc78fa1884f67c65ac171a917e4a0a91467a6da

Download Submit
\??\c:\Windows\System32\CSCE315BEDE318D4B2E8E7AB2ACF6BA3E33.TMP

Filesize
1KB

MD5
9446a6998523ec187daa3d79bec9c8fa

SHA1
16c7f73aef03c8a15b4d9e8b1cfa5183caf7ca96

SHA256
f55f1bd2c1246cfb3b60cd8649fcc78b3837896bdf5132d6fc8ea0ecabf892d7

SHA512
fac3ad1b0c8663aaa94cd66b6ea0aa1848e570ff4a22b709cf2696abb76e28f42fb0d2a74316a7ad86bb6216177013c6b71ce2f4df139edc3054a03ee3467c9d

Download Submit
\Users\Admin\AppData\Local\Temp\Xeno.exe

Filesize
3.5MB

MD5
056586e6a4d9b97c77fd606b2a63f604

SHA1
b13e10949df28f3944c68b950617a641ea20491b

SHA256
4d3b4ef0ec929ebd649637f55aabd856954e3d6424ac337a17ee4bb65ec2e8f3

SHA512
da2c4066a7975ede5c1645d6cd82f0499b452a021d18aa86ad64130efc9f1da2270be30a7af89b4cce97b0eb13c27f55f37c70db5f2f6aa4a2b5a54dcae72cc0

Download Submit
\portBrokerDll\DriverbrokerCrtDhcp.exe

Filesize
3.3MB

MD5
c9d8bce0425ed81346b9a43f148d948b

SHA1
d3bcb8f02ef3732ffa70fc798cd4ad3d77bbbde6

SHA256
884de0ba4d113a1674b112f76b7d6af9bb11c562d6b58155e974e549694e0f58

SHA512
60e0d21db0518d66f4546dceb978b15d2eb87347cc1676b7420eb2a6c4c1c6fa947d31ae8cb70ce880b76f931702aaab51c46f559dd91a49c9a4bdc83b75368b

Download Submit
memory/880-14419-0x0000000000C50000-0x0000000000C58000-memory.dmp

Filesize
32KB

Download
memory/1028-3672-0x0000000001360000-0x0000000001368000-memory.dmp

Filesize
32KB

Download
memory/2144-1-0x00000000009E0000-0x0000000000D62000-memory.dmp

Filesize
3.5MB

Download
memory/2144-0-0x000007FEF61C3000-0x000007FEF61C4000-memory.dmp

Filesize
4KB

Download
memory/2148-52-0x000000001AEE0000-0x000000001B279000-memory.dmp

Filesize
3.6MB

Download
memory/2148-3606-0x0000000000390000-0x000000000039E000-memory.dmp

Filesize
56KB

Download
memory/2148-42-0x000000001AEE0000-0x000000001B279000-memory.dmp

Filesize
3.6MB

Download
memory/2148-40-0x000000001AEE0000-0x000000001B279000-memory.dmp

Filesize
3.6MB

Download
memory/2148-98-0x000000001AEE0000-0x000000001B279000-memory.dmp

Filesize
3.6MB

Download
memory/2148-96-0x000000001AEE0000-0x000000001B279000-memory.dmp

Filesize
3.6MB

Download
memory/2148-94-0x000000001AEE0000-0x000000001B279000-memory.dmp

Filesize
3.6MB

Download
memory/2148-92-0x000000001AEE0000-0x000000001B279000-memory.dmp

Filesize
3.6MB

Download
memory/2148-90-0x000000001AEE0000-0x000000001B279000-memory.dmp

Filesize
3.6MB

Download
memory/2148-88-0x000000001AEE0000-0x000000001B279000-memory.dmp

Filesize
3.6MB

Download
memory/2148-86-0x000000001AEE0000-0x000000001B279000-memory.dmp

Filesize
3.6MB

Download
memory/2148-84-0x000000001AEE0000-0x000000001B279000-memory.dmp

Filesize
3.6MB

Download
memory/2148-82-0x000000001AEE0000-0x000000001B279000-memory.dmp

Filesize
3.6MB

Download
memory/2148-80-0x000000001AEE0000-0x000000001B279000-memory.dmp

Filesize
3.6MB

Download
memory/2148-78-0x000000001AEE0000-0x000000001B279000-memory.dmp

Filesize
3.6MB

Download
memory/2148-76-0x000000001AEE0000-0x000000001B279000-memory.dmp

Filesize
3.6MB

Download
memory/2148-74-0x000000001AEE0000-0x000000001B279000-memory.dmp

Filesize
3.6MB

Download
memory/2148-72-0x000000001AEE0000-0x000000001B279000-memory.dmp

Filesize
3.6MB

Download
memory/2148-70-0x000000001AEE0000-0x000000001B279000-memory.dmp

Filesize
3.6MB

Download
memory/2148-66-0x000000001AEE0000-0x000000001B279000-memory.dmp

Filesize
3.6MB

Download
memory/2148-62-0x000000001AEE0000-0x000000001B279000-memory.dmp

Filesize
3.6MB

Download
memory/2148-58-0x000000001AEE0000-0x000000001B279000-memory.dmp

Filesize
3.6MB

Download
memory/2148-46-0x000000001AEE0000-0x000000001B279000-memory.dmp

Filesize
3.6MB

Download
memory/2148-48-0x000000001AEE0000-0x000000001B279000-memory.dmp

Filesize
3.6MB

Download
memory/2148-3592-0x0000000000330000-0x0000000000356000-memory.dmp

Filesize
152KB

Download
memory/2148-3594-0x0000000000300000-0x000000000030E000-memory.dmp

Filesize
56KB

Download
memory/2148-3596-0x0000000000360000-0x000000000037C000-memory.dmp

Filesize
112KB

Download
memory/2148-3598-0x0000000000310000-0x0000000000320000-memory.dmp

Filesize
64KB

Download
memory/2148-3600-0x00000000003A0000-0x00000000003B8000-memory.dmp

Filesize
96KB

Download
memory/2148-3602-0x0000000000320000-0x0000000000330000-memory.dmp

Filesize
64KB

Download
memory/2148-3604-0x0000000000380000-0x0000000000390000-memory.dmp

Filesize
64KB

Download
memory/2148-44-0x000000001AEE0000-0x000000001B279000-memory.dmp

Filesize
3.6MB

Download
memory/2148-3608-0x00000000004D0000-0x00000000004DC000-memory.dmp

Filesize
48KB

Download
memory/2148-3610-0x00000000004E0000-0x00000000004EE000-memory.dmp

Filesize
56KB

Download
memory/2148-3612-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download
memory/2148-3614-0x00000000004F0000-0x0000000000500000-memory.dmp

Filesize
64KB

Download
memory/2148-3616-0x00000000006D0000-0x00000000006E6000-memory.dmp

Filesize
88KB

Download
memory/2148-3618-0x00000000006F0000-0x0000000000702000-memory.dmp

Filesize
72KB

Download
memory/2148-3620-0x0000000000500000-0x000000000050E000-memory.dmp

Filesize
56KB

Download
memory/2148-3622-0x0000000000530000-0x0000000000540000-memory.dmp

Filesize
64KB

Download
memory/2148-3624-0x0000000000540000-0x0000000000550000-memory.dmp

Filesize
64KB

Download
memory/2148-3626-0x00000000023F0000-0x000000000244A000-memory.dmp

Filesize
360KB

Download
memory/2148-3628-0x0000000000710000-0x000000000071E000-memory.dmp

Filesize
56KB

Download
memory/2148-3630-0x0000000000720000-0x0000000000730000-memory.dmp

Filesize
64KB

Download
memory/2148-3632-0x0000000000730000-0x000000000073E000-memory.dmp

Filesize
56KB

Download
memory/2148-3634-0x0000000000B90000-0x0000000000BA8000-memory.dmp

Filesize
96KB

Download
memory/2148-3636-0x0000000000B70000-0x0000000000B7C000-memory.dmp

Filesize
48KB

Download
memory/2148-3638-0x000000001A8A0000-0x000000001A8EE000-memory.dmp

Filesize
312KB

Download
memory/2148-50-0x000000001AEE0000-0x000000001B279000-memory.dmp

Filesize
3.6MB

Download
memory/2148-54-0x000000001AEE0000-0x000000001B279000-memory.dmp

Filesize
3.6MB

Download
memory/2148-56-0x000000001AEE0000-0x000000001B279000-memory.dmp

Filesize
3.6MB

Download
memory/2148-60-0x000000001AEE0000-0x000000001B279000-memory.dmp

Filesize
3.6MB

Download
memory/2148-64-0x000000001AEE0000-0x000000001B279000-memory.dmp

Filesize
3.6MB

Download
memory/2148-68-0x000000001AEE0000-0x000000001B279000-memory.dmp

Filesize
3.6MB

Download
memory/2148-35-0x000000001AEE0000-0x000000001B279000-memory.dmp

Filesize
3.6MB

Download
memory/2148-36-0x000000001AEE0000-0x000000001B279000-memory.dmp

Filesize
3.6MB

Download
memory/2148-38-0x000000001AEE0000-0x000000001B279000-memory.dmp

Filesize
3.6MB

Download
memory/2148-34-0x000000001AEE0000-0x000000001B280000-memory.dmp

Filesize
3.6MB

Download
memory/2148-33-0x0000000000D10000-0x0000000000D18000-memory.dmp

Filesize
32KB

Download
memory/2772-10837-0x00000000010F0000-0x00000000010F8000-memory.dmp

Filesize
32KB

Download
memory/2812-7-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/2812-8-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2812-6-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/3104-7255-0x0000000001210000-0x0000000001218000-memory.dmp

Filesize
32KB

Download