dcrat | 1605702f0909585b220918e1cbd6b236f5c47714a978990c7d5b43504b90163d

Analysis

max time kernel
72s
max time network
62s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2025, 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lithium external.zip
Size

2.5MB
MD5

5abaa60461ee4c19647911a8d9a0006a
SHA1

76cc97f0581d174087f96f058d898b42e8c566a2
SHA256

1605702f0909585b220918e1cbd6b236f5c47714a978990c7d5b43504b90163d
SHA512

93f3d6b3849a2d9c5b81e9fd96cc60d065e5916ff470e974f2b9b5f49462f25ea18b1f4f32c1fe4f3a3c05eb214e1d5e0f6f25f443a5bb3d338eed2471c0f4f3
SSDEEP

49152:aBIg2+HpqXdLYyrF7SUZSiwaJXA78bixRz4S87jaeg7hRFIz39O:o0NLLFSaJsxR4So+eg7hczA

Score

10^/10

dcrat defense_evasion discovery infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3084	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3076	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4252	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4100	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3484	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3168	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3092	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3316	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4368	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4500	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4344	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3504	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3220	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	4388	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	4388	schtasks.exe	85

UAC bypass 3 TTPs 12 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	PortDll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	PortDll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	PortDll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023cae-4.dat	dcrat
behavioral2/files/0x0007000000023cbe-19.dat	dcrat
behavioral2/memory/3300-21-0x0000000000DF0000-0x00000000010A6000-memory.dmp	dcrat
behavioral2/files/0x0007000000023d10-102.dat	dcrat

Disables Task Manager via registry modification
defense_evasion

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Rust External.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	PortDll.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Rust External.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Rust External.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Rust External.exe

Executes dropped EXE 11 IoCs

pid	Process
4076	Rust External.exe
3300	PortDll.exe
2592	services.exe
3568	services.exe
3412	services.exe
836	Rust External.exe
3936	PortDll.exe
2892	Rust External.exe
5032	services.exe
628	PortDll.exe
4132	Rust External.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PortDll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	PortDll.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\TextInputHost.exe	PortDll.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\22eafd247d37c3	PortDll.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\sihost.exe	PortDll.exe
File created	C:\Windows\Fonts\66fc9ff0ee96c2	PortDll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rust External.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rust External.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rust External.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rust External.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	Rust External.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	PortDll.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	Rust External.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	Rust External.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	Rust External.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	services.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
4104	reg.exe
2560	reg.exe
4684	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3092	schtasks.exe
3316	schtasks.exe
1140	schtasks.exe
1900	schtasks.exe
3084	schtasks.exe
4252	schtasks.exe
1672	schtasks.exe
404	schtasks.exe
5060	schtasks.exe
2300	schtasks.exe
5076	schtasks.exe
3504	schtasks.exe
228	schtasks.exe
2296	schtasks.exe
5116	schtasks.exe
4160	schtasks.exe
2936	schtasks.exe
4344	schtasks.exe
1576	schtasks.exe
3484	schtasks.exe
4676	schtasks.exe
2028	schtasks.exe
2160	schtasks.exe
2076	schtasks.exe
4632	schtasks.exe
4612	schtasks.exe
3220	schtasks.exe
3168	schtasks.exe
2648	schtasks.exe
2488	schtasks.exe
2944	schtasks.exe
2856	schtasks.exe
4484	schtasks.exe
4368	schtasks.exe
1476	schtasks.exe
3968	schtasks.exe
4896	schtasks.exe
4692	schtasks.exe
4584	schtasks.exe
2644	schtasks.exe
880	schtasks.exe
1572	schtasks.exe
4408	schtasks.exe
4940	schtasks.exe
3076	schtasks.exe
4100	schtasks.exe
2064	schtasks.exe
4500	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4968	7zFM.exe
4968	7zFM.exe
4968	7zFM.exe
4968	7zFM.exe
3300	PortDll.exe
4968	7zFM.exe
4968	7zFM.exe
4968	7zFM.exe
4968	7zFM.exe
2592	services.exe
3568	services.exe
3412	services.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4968	7zFM.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeRestorePrivilege	4968	7zFM.exe
Token: 35	4968	7zFM.exe
Token: SeSecurityPrivilege	4968	7zFM.exe
Token: SeDebugPrivilege	3300	PortDll.exe
Token: SeDebugPrivilege	2592	services.exe
Token: SeSecurityPrivilege	4968	7zFM.exe
Token: SeDebugPrivilege	3568	services.exe
Token: SeDebugPrivilege	3412	services.exe
Token: SeDebugPrivilege	3936	PortDll.exe
Token: SeDebugPrivilege	5032	services.exe
Token: SeDebugPrivilege	628	PortDll.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4968	7zFM.exe
4968	7zFM.exe
4968	7zFM.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 4076	4968	7zFM.exe	90
PID 4968 wrote to memory of 4076	4968	7zFM.exe	90
PID 4968 wrote to memory of 4076	4968	7zFM.exe	90
PID 4076 wrote to memory of 2344	4076	Rust External.exe	92
PID 4076 wrote to memory of 2344	4076	Rust External.exe	92
PID 4076 wrote to memory of 2344	4076	Rust External.exe	92
PID 2344 wrote to memory of 436	2344	WScript.exe	93
PID 2344 wrote to memory of 436	2344	WScript.exe	93
PID 2344 wrote to memory of 436	2344	WScript.exe	93
PID 436 wrote to memory of 3300	436	cmd.exe	95
PID 436 wrote to memory of 3300	436	cmd.exe	95
PID 3300 wrote to memory of 1264	3300	PortDll.exe	144
PID 3300 wrote to memory of 1264	3300	PortDll.exe	144
PID 436 wrote to memory of 4684	436	cmd.exe	146
PID 436 wrote to memory of 4684	436	cmd.exe	146
PID 436 wrote to memory of 4684	436	cmd.exe	146
PID 1264 wrote to memory of 1456	1264	cmd.exe	147
PID 1264 wrote to memory of 1456	1264	cmd.exe	147
PID 1264 wrote to memory of 2592	1264	cmd.exe	148
PID 1264 wrote to memory of 2592	1264	cmd.exe	148
PID 2592 wrote to memory of 740	2592	services.exe	151
PID 2592 wrote to memory of 740	2592	services.exe	151
PID 2592 wrote to memory of 3992	2592	services.exe	152
PID 2592 wrote to memory of 3992	2592	services.exe	152
PID 740 wrote to memory of 3568	740	WScript.exe	153
PID 740 wrote to memory of 3568	740	WScript.exe	153
PID 3568 wrote to memory of 4896	3568	services.exe	154
PID 3568 wrote to memory of 4896	3568	services.exe	154
PID 3568 wrote to memory of 3440	3568	services.exe	155
PID 3568 wrote to memory of 3440	3568	services.exe	155
PID 4896 wrote to memory of 3412	4896	WScript.exe	158
PID 4896 wrote to memory of 3412	4896	WScript.exe	158
PID 3412 wrote to memory of 2856	3412	services.exe	160
PID 3412 wrote to memory of 2856	3412	services.exe	160
PID 3412 wrote to memory of 3956	3412	services.exe	161
PID 3412 wrote to memory of 3956	3412	services.exe	161
PID 836 wrote to memory of 4180	836	Rust External.exe	162
PID 836 wrote to memory of 4180	836	Rust External.exe	162
PID 836 wrote to memory of 4180	836	Rust External.exe	162
PID 4180 wrote to memory of 1660	4180	WScript.exe	163
PID 4180 wrote to memory of 1660	4180	WScript.exe	163
PID 4180 wrote to memory of 1660	4180	WScript.exe	163
PID 1660 wrote to memory of 3936	1660	cmd.exe	165
PID 1660 wrote to memory of 3936	1660	cmd.exe	165
PID 2892 wrote to memory of 3780	2892	Rust External.exe	167
PID 2892 wrote to memory of 3780	2892	Rust External.exe	167
PID 2892 wrote to memory of 3780	2892	Rust External.exe	167
PID 2856 wrote to memory of 5032	2856	WScript.exe	168
PID 2856 wrote to memory of 5032	2856	WScript.exe	168
PID 3780 wrote to memory of 3648	3780	WScript.exe	169
PID 3780 wrote to memory of 3648	3780	WScript.exe	169
PID 3780 wrote to memory of 3648	3780	WScript.exe	169
PID 3648 wrote to memory of 628	3648	cmd.exe	171
PID 3648 wrote to memory of 628	3648	cmd.exe	171
PID 1660 wrote to memory of 4104	1660	cmd.exe	176
PID 1660 wrote to memory of 4104	1660	cmd.exe	176
PID 1660 wrote to memory of 4104	1660	cmd.exe	176
PID 3648 wrote to memory of 2560	3648	cmd.exe	177
PID 3648 wrote to memory of 2560	3648	cmd.exe	177
PID 3648 wrote to memory of 2560	3648	cmd.exe	177
PID 4132 wrote to memory of 908	4132	Rust External.exe	181
PID 4132 wrote to memory of 908	4132	Rust External.exe	181
PID 4132 wrote to memory of 908	4132	Rust External.exe	181

System policy modification 1 TTPs 12 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	PortDll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	PortDll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	PortDll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\lithium external.zip"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Users\Admin\AppData\Local\Temp\7zO863B5CC7\Rust External.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO863B5CC7\Rust External.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Agentcomponentdriver\cF2nsYK.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2344
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Agentcomponentdriver\gyWUCXXRJzCMxdWE9QlvhicilMz.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:436
    - - C:\Agentcomponentdriver\PortDll.exe
        
        "C:\Agentcomponentdriver\PortDll.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3300
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KjrLCSMPDQ.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1456
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36f4394c-bc31-4c88-aa13-67d0f187b9e5.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ef5a38b-c1c4-4630-8c9b-7b738a718e49.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bbac697-2e07-4ead-8da0-d093ab0a0e98.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ab3f168-732d-4d14-a5da-db7f6df85643.vbs"
        12⤵
        
        PID:3956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3bd2fcca-730f-4671-9571-452db9c63f2b.vbs"
        10⤵
        
        PID:3440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6dcd6085-0ac4-4210-aedb-7337dfc48147.vbs"
        8⤵
        
        PID:3992
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Agentcomponentdriver\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Agentcomponentdriver\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Agentcomponentdriver\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Templates\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Templates\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Agentcomponentdriver\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Agentcomponentdriver\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Agentcomponentdriver\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Agentcomponentdriver\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Agentcomponentdriver\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Agentcomponentdriver\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Agentcomponentdriver\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Agentcomponentdriver\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Agentcomponentdriver\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Cookies\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Cookies\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Cookies\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Recent\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default\Recent\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Recent\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Fonts\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Windows\Fonts\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\PrintHood\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default\PrintHood\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7zFM7" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\7zFM.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7zFM" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\7zFM.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7zFM7" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\7zFM.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Agentcomponentdriver\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Agentcomponentdriver\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Agentcomponentdriver\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Agentcomponentdriver\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Agentcomponentdriver\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Agentcomponentdriver\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:428

C:\Users\Admin\Downloads\Rust External.exe
"C:\Users\Admin\Downloads\Rust External.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:836
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Agentcomponentdriver\cF2nsYK.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Agentcomponentdriver\gyWUCXXRJzCMxdWE9QlvhicilMz.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Agentcomponentdriver\PortDll.exe
      "C:\Agentcomponentdriver\PortDll.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3936
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4104

C:\Users\Admin\Downloads\Rust External.exe
"C:\Users\Admin\Downloads\Rust External.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Agentcomponentdriver\cF2nsYK.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Agentcomponentdriver\gyWUCXXRJzCMxdWE9QlvhicilMz.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3648
  - - C:\Agentcomponentdriver\PortDll.exe
      "C:\Agentcomponentdriver\PortDll.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:628
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2560

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
PID:1736

C:\Users\Admin\Downloads\Rust External.exe
"C:\Users\Admin\Downloads\Rust External.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4132
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Agentcomponentdriver\cF2nsYK.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Agentcomponentdriver\PortDll.exe

Filesize
2.7MB

MD5
36678031ac136dc944f5b836ff267243

SHA1
5670ecf38e35121e09bcde5c3fc834d96e290752

SHA256
fb7730673d10c85f7496c509e0fef578f30f9ef818e62fd576907b33dc6ce025

SHA512
08d79ea3841c60c6f1cb1d946ecd71812bd19155246f10029afa09d283c098b57e5743d6978675be15638db8a8b68828842dd49c84a970f389a30cb10c161fda

Download Submit
C:\Agentcomponentdriver\cF2nsYK.vbe

Filesize
224B

MD5
58f14b1ab2fe69675f2092835a963260

SHA1
3a5c88e3f551cdfb6d7053f374f475f65250a342

SHA256
d3aba5d7c01e3f8de8969d52e11aeab5777abf679cf305a3e78bf42f42515283

SHA512
82f3bbb05f13fd062d81862a30f203bc4ca6bcd643a85e3a393bfe5ae77e602fcb2daa0004a29c757c38cbb4c0807316c933f9e0802dba2701363e92566597da

Download Submit
C:\Agentcomponentdriver\gyWUCXXRJzCMxdWE9QlvhicilMz.bat

Filesize
149B

MD5
61f83fd24fdcd1acc1b20155cf97dcd8

SHA1
e21ecbd09f4c98a591f15f6e64cba7b65fd165f5

SHA256
1725ca5841f1f224c9d9e335530e1c805fa838f873e8316db7ff8cc4ffd76120

SHA512
8e1851ce4ab75fbd7286192026904f965f9952fbc0fa9dd3ddc3cd06f1907231d2e977c63a534de618f497d22e1e960bb9edada8c46409ef25e151da6045c6b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PortDll.exe.log

Filesize
1KB

MD5
655010c15ea0ca05a6e5ddcd84986b98

SHA1
120bf7e516aeed462c07625fbfcdab5124ad05d3

SHA256
2b1ffeab025cc7c61c50e3e2e4c9253046d9174cf00181a8c1de733a4c0daa14

SHA512
e52c26718d7d1e979837b5ac626dde26920fe7413b8aa7be6f1be566a1b0f035582f4d313400e3ad6b92552abb1dfaf186b60b875fb955a2a94fd839fe841437

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log

Filesize
1KB

MD5
49b64127208271d8f797256057d0b006

SHA1
b99bd7e2b4e9ed24de47fb3341ea67660b84cca1

SHA256
2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77

SHA512
f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\36f4394c-bc31-4c88-aa13-67d0f187b9e5.vbs

Filesize
710B

MD5
312919d827e3efde7feaf64211fb6889

SHA1
459ce79fc151669455b4137a31c1e539c473d36c

SHA256
97820fc9a2a5d2e6075d328c99856f456e9335dd31075f51f80a656e6ff6f01e

SHA512
26b2ae91031372e84f2dd50c7edb1b4275e1c559ab30542f377529fbc4e55379b5285ac193ea3d88558f45db83a983466f06c75bbe8daa0c2bd3f12cb91bb2db

Download Submit
C:\Users\Admin\AppData\Local\Temp\6bbac697-2e07-4ead-8da0-d093ab0a0e98.vbs

Filesize
710B

MD5
80e3856b56688aad8dc758d29ed4aeae

SHA1
1331692eed5591f5c1ad224ce571f4e5fc88cbad

SHA256
eef7a40069ddc9771d1c3eb480f16635f983fee01a0ba91ba2c5dc5697a974bb

SHA512
7ae9504254491e0c166d3239f40fec935cf21528958a7f93ee6b8531a4a5c90bb01057bf9d1dd581b1acbf78d73092bed60d7b47085f868d102f368bf4b365e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dcd6085-0ac4-4210-aedb-7337dfc48147.vbs

Filesize
486B

MD5
7fc6c02cd3ff6d15779a47261dbc92b9

SHA1
83bdd3760e3e166826f0cb242a04a113cb198b5c

SHA256
9c496a40b2f5d9fd0ead2b89b05570b2cb745a3d1424e54b99c4f61134f002c0

SHA512
c20880b6440e9448650db938d4edbbde239b63dcb8426a073ddaca4d819099a1454edf1f855db72bbc100132c42877951a5ecccabf1596ebdd3e675ce55f470d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ef5a38b-c1c4-4630-8c9b-7b738a718e49.vbs

Filesize
710B

MD5
95592fea86bb28bec6136d950919296b

SHA1
d93b8912380fff21906f891fcb4cdf06b30ba0d3

SHA256
4ba52a7ecb1c34625b57635682b21407d283336b44979bdd6c221843ce0cafbc

SHA512
cf10710bcda9dcf817c951ddcb3be7e43de6b78b584d526a1bb06a2777393438137f92fafb8b9c2f04bc21c3b39056c80f1b288ef95ea9ea1cbac0b0576e47d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO863B5CC7\Rust External.exe

Filesize
3.0MB

MD5
052d8274e7bd005fabb352b5e5789cd9

SHA1
853421783272ff3bf84999956703f56a9ef6b281

SHA256
656a8bc85180846d696a852121d269f793861c370c1c4c82e9962916c8a5b502

SHA512
c8d0f08dbc22e85bf292905a07ea2d67359ba25c6a601e3d5998ae39a1487df98e070dc0e6a933bf0d33dd41d18a9ae9a75834f3163ec18cf0aa147088eb922d

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c5aa798322712a26523b2ce90e185a52b9bb2f6.exe

Filesize
2.7MB

MD5
48db8cf594c31a6f0d488db47c08e60e

SHA1
8408fb8ce20405fc5f15b8b8f5328ce99a644cff

SHA256
d8a05689c808d3db1bed33f848060b5e7681b953810f8001fd613754172ba3c4

SHA512
b6e6aaeae274c9e1d9635b596b4bf87afd761fcbc0d19888678ca01197c62d06935e56e0221815fa830b77d96632e2a8815c631fa765153185728b56af071259

Download Submit
C:\Users\Admin\AppData\Local\Temp\KjrLCSMPDQ.bat

Filesize
199B

MD5
b5b6e811b247e91b5a6802a432cd74c4

SHA1
072451fe8bb95b568f4c900b730db07ca5da82cc

SHA256
ba6a3bfe475f67f889eb139ef040ec52d5aad20a0ddaa25dfefc3467791f83d4

SHA512
45b2eaa3a7d07dc7a0bb28dddd9a7bfb8f84dbdf07502ee21d2e55d5136736198d81a5fdaed204a0e12d516d9ee742750880486ff9df04f340446766d3c773b4

Download Submit
memory/2592-83-0x000000001D3F0000-0x000000001D402000-memory.dmp

Filesize
72KB

Download
memory/3300-27-0x000000001BE10000-0x000000001BE1A000-memory.dmp

Filesize
40KB

Download
memory/3300-39-0x000000001C630000-0x000000001C638000-memory.dmp

Filesize
32KB

Download
memory/3300-33-0x000000001C420000-0x000000001C42C000-memory.dmp

Filesize
48KB

Download
memory/3300-38-0x000000001C470000-0x000000001C47E000-memory.dmp

Filesize
56KB

Download
memory/3300-37-0x000000001C460000-0x000000001C468000-memory.dmp

Filesize
32KB

Download
memory/3300-36-0x000000001C450000-0x000000001C45E000-memory.dmp

Filesize
56KB

Download
memory/3300-35-0x000000001C440000-0x000000001C44A000-memory.dmp

Filesize
40KB

Download
memory/3300-34-0x000000001C430000-0x000000001C438000-memory.dmp

Filesize
32KB

Download
memory/3300-32-0x000000001BE90000-0x000000001BE98000-memory.dmp

Filesize
32KB

Download
memory/3300-40-0x000000001C640000-0x000000001C64A000-memory.dmp

Filesize
40KB

Download
memory/3300-41-0x000000001C650000-0x000000001C65C000-memory.dmp

Filesize
48KB

Download
memory/3300-31-0x000000001C950000-0x000000001CE78000-memory.dmp

Filesize
5.2MB

Download
memory/3300-30-0x000000001BE80000-0x000000001BE92000-memory.dmp

Filesize
72KB

Download
memory/3300-29-0x000000001BE20000-0x000000001BE2C000-memory.dmp

Filesize
48KB

Download
memory/3300-28-0x000000001C3B0000-0x000000001C406000-memory.dmp

Filesize
344KB

Download
memory/3300-25-0x000000001BDE0000-0x000000001BDE8000-memory.dmp

Filesize
32KB

Download
memory/3300-26-0x000000001BDF0000-0x000000001BE06000-memory.dmp

Filesize
88KB

Download
memory/3300-21-0x0000000000DF0000-0x00000000010A6000-memory.dmp

Filesize
2.7MB

Download
memory/3300-24-0x000000001BE30000-0x000000001BE80000-memory.dmp

Filesize
320KB

Download
memory/3300-23-0x000000001BDC0000-0x000000001BDDC000-memory.dmp

Filesize
112KB

Download
memory/3300-22-0x000000001BDB0000-0x000000001BDBE000-memory.dmp

Filesize
56KB

Download
memory/3412-110-0x000000001C3F0000-0x000000001C402000-memory.dmp

Filesize
72KB

Download
memory/3568-98-0x000000001BFF0000-0x000000001C002000-memory.dmp

Filesize
72KB

Download