dcrat | 2637fba7a82cf6b7b65ecea2e83da886d4252db8bf64e8dc4de29768c828745c

Resubmissions

13-02-2025 12:32

250213-pqvy9axpak 8

02-02-2025 12:46

250202-pzvd3ssjhx 10

Analysis

max time kernel
55s
max time network
57s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
02-02-2025 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DeltaCrack.exe
Size

12KB
MD5

b6f8ce701bcbc0dea1ce3932bad8bd59
SHA1

5b0117f1ac2649173034784574426d3875c1c2a9
SHA256

2637fba7a82cf6b7b65ecea2e83da886d4252db8bf64e8dc4de29768c828745c
SHA512

a83d4555adfa3b9bf664b774fd60d70286e2cb3dcef36688b056d643b3b6e919485bfc55146fc24447e5367531c22ef58894d0fe20836316596ea34b95d7a2b3
SSDEEP

192:6JcV4aQPPUEdt5ymbzRH+GxfekEcDZbU865/WH1yaME+zrq9:6JcV49PM+tYmbNj9emy865Iyw+zrq

Score

10^/10

dcrat defense_evasion discovery execution infostealer persistence privilege_escalation rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 11 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\WmiPrvSE.exe\", \"C:\\blockwin\\dllhost.exe\""	perfNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\WmiPrvSE.exe\", \"C:\\blockwin\\dllhost.exe\", \"C:\\Program Files\\Java\\jre-1.8\\legal\\javafx\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\cmd.exe\", \"C:\\Program Files\\Google\\SppExtComObj.exe\""	perfNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\WmiPrvSE.exe\", \"C:\\blockwin\\dllhost.exe\", \"C:\\Program Files\\Java\\jre-1.8\\legal\\javafx\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\cmd.exe\", \"C:\\Program Files\\Google\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\IME\\it-IT\\dllhost.exe\""	perfNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\WmiPrvSE.exe\", \"C:\\blockwin\\dllhost.exe\", \"C:\\Program Files\\Java\\jre-1.8\\legal\\javafx\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\cmd.exe\", \"C:\\Program Files\\Google\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\IME\\it-IT\\dllhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Idle.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\sppsvc.exe\""	perfNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\WmiPrvSE.exe\""	perfNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\WmiPrvSE.exe\", \"C:\\blockwin\\dllhost.exe\", \"C:\\Program Files\\Java\\jre-1.8\\legal\\javafx\\WmiPrvSE.exe\""	perfNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\WmiPrvSE.exe\", \"C:\\blockwin\\dllhost.exe\", \"C:\\Program Files\\Java\\jre-1.8\\legal\\javafx\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\cmd.exe\""	perfNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\WmiPrvSE.exe\", \"C:\\blockwin\\dllhost.exe\", \"C:\\Program Files\\Java\\jre-1.8\\legal\\javafx\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\cmd.exe\", \"C:\\Program Files\\Google\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\""	perfNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\WmiPrvSE.exe\", \"C:\\blockwin\\dllhost.exe\", \"C:\\Program Files\\Java\\jre-1.8\\legal\\javafx\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\cmd.exe\", \"C:\\Program Files\\Google\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\IME\\it-IT\\dllhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Idle.exe\""	perfNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\WmiPrvSE.exe\", \"C:\\blockwin\\dllhost.exe\", \"C:\\Program Files\\Java\\jre-1.8\\legal\\javafx\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\cmd.exe\", \"C:\\Program Files\\Google\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\IME\\it-IT\\dllhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Idle.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\sppsvc.exe\", \"C:\\blockwin\\WmiPrvSE.exe\""	perfNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Windows\\Web\\xdwdDelta.exe"	ThirdPartyGUI.exe

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	2808	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	2808	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2808	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3800	2808	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	2808	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4352	2808	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2808	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	2808	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	2808	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	2808	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	2808	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2808	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	2808	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2808	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2808	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2808	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2808	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2808	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3508	2808	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	2808	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3384	2808	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	2808	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	2808	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2808	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	2808	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	2808	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	2808	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2808	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	2808	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	2808	schtasks.exe	84

UAC bypass 3 TTPs 6 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	perfNet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	perfNet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	perfNet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x001f00000002aa77-87.dat	dcrat
behavioral1/files/0x001a00000002aaac-131.dat	dcrat
behavioral1/memory/1592-133-0x0000000000890000-0x0000000000BCE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2436	powershell.exe
1648	powershell.exe

Downloads MZ/PE file 2 IoCs

flow	pid	Process
5	900	DeltaCrack.exe
4	900	DeltaCrack.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Executes dropped EXE 6 IoCs

pid	Process
5004	ThirdPartyGUI.exe
4916	DCRatBuilda.exe
2844	xdwdDelta.exe
1592	perfNet.exe
3524	Idle.exe
1604	xdwdDelta.exe

Loads dropped DLL 46 IoCs

pid	Process
2484	Process not Found
2844	xdwdDelta.exe
4036	Process not Found
2732	Process not Found
1592	perfNet.exe
1224	schtasks.exe
4620	schtasks.exe
2544	schtasks.exe
3800	schtasks.exe
5108	schtasks.exe
4352	schtasks.exe
2500	schtasks.exe
4884	schtasks.exe
4832	schtasks.exe
1400	schtasks.exe
228	schtasks.exe
2176	schtasks.exe
688	schtasks.exe
2608	schtasks.exe
2096	schtasks.exe
2512	schtasks.exe
2744	schtasks.exe
2060	schtasks.exe
3508	schtasks.exe
3968	schtasks.exe
3384	schtasks.exe
1144	schtasks.exe
3500	schtasks.exe
1844	schtasks.exe
780	schtasks.exe
888	schtasks.exe
4596	schtasks.exe
2900	schtasks.exe
4544	schtasks.exe
4800	schtasks.exe
3524	Idle.exe
4532	WScript.exe
4872	WScript.exe
1604	xdwdDelta.exe
1792	Process not Found
2452	Process not Found
128	vssvc.exe
4580	Process not Found
1224	Process not Found
1344	WmiApSrv.exe
1332	Process not Found

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\blockwin\\dllhost.exe\""	perfNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files\\Google\\SppExtComObj.exe\""	perfNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\WindowsRE\\System.exe\""	perfNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\WindowsRE\\System.exe\""	perfNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\sppsvc.exe\""	perfNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\blockwin\\WmiPrvSE.exe\""	perfNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\Windows Mail\\WmiPrvSE.exe\""	perfNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\Java\\jre-1.8\\legal\\javafx\\WmiPrvSE.exe\""	perfNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\cmd.exe\""	perfNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files\\Google\\SppExtComObj.exe\""	perfNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\IME\\it-IT\\dllhost.exe\""	perfNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Idle.exe\""	perfNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Idle.exe\""	perfNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\Windows Mail\\WmiPrvSE.exe\""	perfNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\blockwin\\dllhost.exe\""	perfNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\Java\\jre-1.8\\legal\\javafx\\WmiPrvSE.exe\""	perfNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\cmd.exe\""	perfNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\IME\\it-IT\\dllhost.exe\""	perfNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\sppsvc.exe\""	perfNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\blockwin\\WmiPrvSE.exe\""	perfNet.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	perfNet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	perfNet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ipinfo.io
13	ipinfo.io

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\WmiPrvSE.exe	perfNet.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\24dbde2999530e	perfNet.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\ebf1f9fa8afd6d	perfNet.exe
File created	C:\Program Files\Google\SppExtComObj.exe	perfNet.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Idle.exe	perfNet.exe
File opened for modification	C:\Program Files\Windows Mail\WmiPrvSE.exe	perfNet.exe
File created	C:\Program Files\Windows Mail\24dbde2999530e	perfNet.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\WmiPrvSE.exe	perfNet.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\cmd.exe	perfNet.exe
File created	C:\Program Files\Google\e1ef82546f0b02	perfNet.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\6ccacd8608530f	perfNet.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\Web\xdwdDelta.exe	ThirdPartyGUI.exe
File created	C:\Windows\xdwd.dll	ThirdPartyGUI.exe
File created	C:\Windows\PrintDialog\en-US\spoolsv.exe	perfNet.exe
File created	C:\Windows\IME\it-IT\dllhost.exe	perfNet.exe
File created	C:\Windows\IME\it-IT\5940a34987c991	perfNet.exe
File created	C:\Windows\Performance\WinSAT\DataStore\sppsvc.exe	perfNet.exe
File created	C:\Windows\Performance\WinSAT\DataStore\0a1fd5f707cd16	perfNet.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DeltaCrack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatBuilda.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	DCRatBuilda.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	Idle.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3500	schtasks.exe
4588	schtasks.exe
2500	schtasks.exe
4884	schtasks.exe
2608	schtasks.exe
3384	schtasks.exe
4620	schtasks.exe
4832	schtasks.exe
2512	schtasks.exe
2744	schtasks.exe
780	schtasks.exe
2900	schtasks.exe
3800	schtasks.exe
4352	schtasks.exe
228	schtasks.exe
2096	schtasks.exe
1844	schtasks.exe
4596	schtasks.exe
3692	schtasks.exe
2544	schtasks.exe
2176	schtasks.exe
2060	schtasks.exe
4544	schtasks.exe
4800	schtasks.exe
1224	schtasks.exe
5108	schtasks.exe
688	schtasks.exe
3508	schtasks.exe
1144	schtasks.exe
3172	schtasks.exe
1400	schtasks.exe
3968	schtasks.exe
888	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1648	powershell.exe
1648	powershell.exe
2436	powershell.exe
2436	powershell.exe
1592	perfNet.exe
1592	perfNet.exe
1592	perfNet.exe
1592	perfNet.exe
1592	perfNet.exe
1592	perfNet.exe
1592	perfNet.exe
1224	schtasks.exe
1224	schtasks.exe
4620	schtasks.exe
4620	schtasks.exe
2544	schtasks.exe
2544	schtasks.exe
3800	schtasks.exe
3800	schtasks.exe
5108	schtasks.exe
5108	schtasks.exe
4352	schtasks.exe
4352	schtasks.exe
2500	schtasks.exe
2500	schtasks.exe
4884	schtasks.exe
4884	schtasks.exe
4832	schtasks.exe
4832	schtasks.exe
1400	schtasks.exe
1400	schtasks.exe
228	schtasks.exe
228	schtasks.exe
1592	perfNet.exe
1592	perfNet.exe
2176	schtasks.exe
2176	schtasks.exe
688	schtasks.exe
688	schtasks.exe
2608	schtasks.exe
2608	schtasks.exe
2096	schtasks.exe
2096	schtasks.exe
2512	schtasks.exe
2512	schtasks.exe
2744	schtasks.exe
2744	schtasks.exe
2060	schtasks.exe
2060	schtasks.exe
3508	schtasks.exe
3508	schtasks.exe
3968	schtasks.exe
3968	schtasks.exe
3384	schtasks.exe
3384	schtasks.exe
1144	schtasks.exe
1144	schtasks.exe
3500	schtasks.exe
3500	schtasks.exe
1844	schtasks.exe
1844	schtasks.exe
780	schtasks.exe
780	schtasks.exe
888	schtasks.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	900	DeltaCrack.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	5004	ThirdPartyGUI.exe
Token: SeDebugPrivilege	2844	xdwdDelta.exe
Token: SeIncBasePriorityPrivilege	2844	xdwdDelta.exe
Token: SeDebugPrivilege	1592	perfNet.exe
Token: SeDebugPrivilege	3524	Idle.exe
Token: SeDebugPrivilege	1604	xdwdDelta.exe
Token: SeBackupPrivilege	128	vssvc.exe
Token: SeRestorePrivilege	128	vssvc.exe
Token: SeAuditPrivilege	128	vssvc.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 1648	900	DeltaCrack.exe	78
PID 900 wrote to memory of 1648	900	DeltaCrack.exe	78
PID 900 wrote to memory of 1648	900	DeltaCrack.exe	78
PID 900 wrote to memory of 2436	900	DeltaCrack.exe	80
PID 900 wrote to memory of 2436	900	DeltaCrack.exe	80
PID 900 wrote to memory of 2436	900	DeltaCrack.exe	80
PID 900 wrote to memory of 5004	900	DeltaCrack.exe	82
PID 900 wrote to memory of 5004	900	DeltaCrack.exe	82
PID 900 wrote to memory of 4916	900	DeltaCrack.exe	83
PID 900 wrote to memory of 4916	900	DeltaCrack.exe	83
PID 900 wrote to memory of 4916	900	DeltaCrack.exe	83
PID 4916 wrote to memory of 572	4916	DCRatBuilda.exe	85
PID 4916 wrote to memory of 572	4916	DCRatBuilda.exe	85
PID 4916 wrote to memory of 572	4916	DCRatBuilda.exe	85
PID 4916 wrote to memory of 4984	4916	DCRatBuilda.exe	86
PID 4916 wrote to memory of 4984	4916	DCRatBuilda.exe	86
PID 4916 wrote to memory of 4984	4916	DCRatBuilda.exe	86
PID 5004 wrote to memory of 4608	5004	ThirdPartyGUI.exe	88
PID 5004 wrote to memory of 4608	5004	ThirdPartyGUI.exe	88
PID 5004 wrote to memory of 416	5004	ThirdPartyGUI.exe	90
PID 5004 wrote to memory of 416	5004	ThirdPartyGUI.exe	90
PID 5004 wrote to memory of 1188	5004	ThirdPartyGUI.exe	92
PID 5004 wrote to memory of 1188	5004	ThirdPartyGUI.exe	92
PID 416 wrote to memory of 3692	416	cmd.exe	93
PID 416 wrote to memory of 3692	416	cmd.exe	93
PID 1188 wrote to memory of 3172	1188	cmd.exe	95
PID 1188 wrote to memory of 3172	1188	cmd.exe	95
PID 5004 wrote to memory of 2844	5004	ThirdPartyGUI.exe	96
PID 5004 wrote to memory of 2844	5004	ThirdPartyGUI.exe	96
PID 2844 wrote to memory of 1672	2844	xdwdDelta.exe	97
PID 2844 wrote to memory of 1672	2844	xdwdDelta.exe	97
PID 1672 wrote to memory of 4588	1672	cmd.exe	99
PID 1672 wrote to memory of 4588	1672	cmd.exe	99
PID 572 wrote to memory of 2280	572	WScript.exe	100
PID 572 wrote to memory of 2280	572	WScript.exe	100
PID 572 wrote to memory of 2280	572	WScript.exe	100
PID 2280 wrote to memory of 1592	2280	cmd.exe	102
PID 2280 wrote to memory of 1592	2280	cmd.exe	102
PID 1592 wrote to memory of 3524	1592	perfNet.exe	133
PID 1592 wrote to memory of 3524	1592	perfNet.exe	133
PID 3524 wrote to memory of 4532	3524	Idle.exe	134
PID 3524 wrote to memory of 4532	3524	Idle.exe	134
PID 3524 wrote to memory of 4872	3524	Idle.exe	135
PID 3524 wrote to memory of 4872	3524	Idle.exe	135

System policy modification 1 TTPs 6 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	perfNet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	perfNet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	perfNet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\DeltaCrack.exe
"C:\Users\Admin\AppData\Local\Temp\DeltaCrack.exe"
1⤵
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ThirdPartyGUI.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\DCRatBuilda.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2436
- C:\Users\Admin\AppData\Local\Temp\ThirdPartyGUI.exe
  "C:\Users\Admin\AppData\Local\Temp\ThirdPartyGUI.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5004
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" netsh advfirewall firewall add rule name="euC2j"B@jCobjs" dir=in action=allow program="C:\Windows\Web\xdwdDelta.exe" enable=yes & exit
    3⤵
    PID:4608
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "Microsoft\Windows\RuntimeOpen" /tr "C:\Windows\Web\xdwdDelta.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:416
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc minute /mo 1 /tn "Microsoft\Windows\RuntimeOpen" /tr "C:\Windows\Web\xdwdDelta.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3692
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c schtasks /create /f /sc minute /mo 30 /tn "Microsoft\Windows\Setup" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Web\xdwdDeltaOpen.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1188
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc minute /mo 30 /tn "Microsoft\Windows\Setup" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Web\xdwdDeltaOpen.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3172
- - C:\Windows\Web\xdwdDelta.exe
    "C:\Windows\Web\xdwdDelta.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /c schtasks /create /f /sc minute /mo 30 /tn "Microsoft\Windows\Setup" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Web\xdwdDeltaOpen.exe" /RL HIGHEST & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1672
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc minute /mo 30 /tn "Microsoft\Windows\Setup" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Web\xdwdDeltaOpen.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4588
- C:\Users\Admin\AppData\Local\Temp\DCRatBuilda.exe
  "C:\Users\Admin\AppData\Local\Temp\DCRatBuilda.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\blockwin\Uey4G9jLOu96Ny61Odc6qMzirlqd.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\blockwin\7AofWjGgJu1A5FU93LEjadiQr2.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2280
    - - C:\blockwin\perfNet.exe
        
        "C:\blockwin\perfNet.exe"
        5⤵
        Modifies WinLogon for persistence
        UAC bypass
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1592
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Idle.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Idle.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68b85691-f8de-4f74-a62b-cb74cbde6026.vbs"
        7⤵
        Loads dropped DLL
        
        PID:4532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a4e5f72-c650-4896-95be-53243c96bc92.vbs"
        7⤵
        Loads dropped DLL
        
        PID:4872
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\blockwin\file.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
- Suspicious behavior: EnumeratesProcesses
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
- Suspicious behavior: EnumeratesProcesses
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
- Suspicious behavior: EnumeratesProcesses
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\blockwin\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
- Suspicious behavior: EnumeratesProcesses
PID:3800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\blockwin\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
- Suspicious behavior: EnumeratesProcesses
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\blockwin\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
- Suspicious behavior: EnumeratesProcesses
PID:4352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jre-1.8\legal\javafx\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
- Suspicious behavior: EnumeratesProcesses
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\legal\javafx\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
- Suspicious behavior: EnumeratesProcesses
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jre-1.8\legal\javafx\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
- Suspicious behavior: EnumeratesProcesses
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
- Suspicious behavior: EnumeratesProcesses
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
- Suspicious behavior: EnumeratesProcesses
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
- Suspicious behavior: EnumeratesProcesses
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
- Suspicious behavior: EnumeratesProcesses
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Google\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
- Suspicious behavior: EnumeratesProcesses
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
- Suspicious behavior: EnumeratesProcesses
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
- Suspicious behavior: EnumeratesProcesses
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
- Suspicious behavior: EnumeratesProcesses
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
- Suspicious behavior: EnumeratesProcesses
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\IME\it-IT\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
- Suspicious behavior: EnumeratesProcesses
PID:3508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\IME\it-IT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
- Suspicious behavior: EnumeratesProcesses
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\IME\it-IT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
- Suspicious behavior: EnumeratesProcesses
PID:3384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
- Suspicious behavior: EnumeratesProcesses
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
- Suspicious behavior: EnumeratesProcesses
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
- Suspicious behavior: EnumeratesProcesses
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\Performance\WinSAT\DataStore\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
- Suspicious behavior: EnumeratesProcesses
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
- Suspicious behavior: EnumeratesProcesses
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\Performance\WinSAT\DataStore\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\blockwin\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\blockwin\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\blockwin\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
PID:4800

C:\Windows\Web\xdwdDelta.exe
C:\Windows\Web\xdwdDelta.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:128

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Loads dropped DLL
PID:1344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d0c46cad6c0778401e21910bd6b56b70

SHA1
7be418951ea96326aca445b8dfe449b2bfa0dca6

SHA256
9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

SHA512
057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
a97d5c8c0c04a9b06036d45fca1faad4

SHA1
922f2d9eb6ebda9c86814d78e66dcffa4949620b

SHA256
ccc7e9ebae35e0e75a1adad6ec349fa7d3924bd68e6ddd016759c3812ebbd236

SHA512
3780e1456c54ee96276c3a8a382d346feb680c73e1ef609440294950b2e90bf01bcb0d3c65ec25d107f81377ca4f766712f9965d7628f40dbcb2333480cb538e

Download Submit
C:\Users\Admin\AppData\Local\Temp\68b85691-f8de-4f74-a62b-cb74cbde6026.vbs

Filesize
731B

MD5
23ea38deb4699f22b7431f5e6d8de42d

SHA1
cb6cb368678a613640741439f5f1447e4171943a

SHA256
79aa2742892606e4cba0a15a8b91b366d1524ca8f9e5fb0b2b3a9ac7d4691480

SHA512
c2a59802fa8fce7145ae5dbb5bb6a757b27f2f6fe53663fe1416fd1aa28829cda844b24822932f459c450b96a555cad6681de59617ad26dff9f9686ed8533aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\8a4e5f72-c650-4896-95be-53243c96bc92.vbs

Filesize
507B

MD5
41b5de756925bc673af48fa7580a6e1c

SHA1
0b494e4eae5ba8f4f643a16ecb157295977da019

SHA256
d687bde12001d8bb9a8095005ca469c35f963fb4decf102ad4074aadffb52535

SHA512
2ac1adb97dff02e5f0ea8379e9e82aa130a399ec779cda899e5561d559d971e7f4093375986b518a5affcd81c073036acdc472bf188269ece6acf9340de6c70f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCRatBuilda.exe

Filesize
3.5MB

MD5
cfa948f94f8d7f1fd510585aef476a69

SHA1
cd7cf739c1d64110cf22fece8feeeedc26f1603f

SHA256
2e03c52c02ed1bd99d98207216daa3a1e0183a3c75bf85fc7c5bc88ca64f53f1

SHA512
0e8bac35aeeb1a438603fea0949aceca47436616f3cb35e77d58786dd2ebe3e558dd5ea5a4ed68c09579459f1a6ee5736e7f5f47c2b6f74ae08da72f56de78ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThirdPartyGUI.exe

Filesize
491KB

MD5
3b91589b90ba27dd718891345bfa44a1

SHA1
1c897b16b1618d84ba0cc504bbfd568f7bff2dbc

SHA256
ca2edf76122bdad8371105bd8c25cf694125a706f04bc179fc4a82e8c2c1dcc2

SHA512
27f46301a82e3436b58735e827e4f3fd9db5a013402f42b768a526f7ca3e51f3c1e2134cf1fbc215d7a56df9d74010af9de60cf4633facb83c50f2d010fd2d13

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nopnkqtt.1xv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
C:\blockwin\7AofWjGgJu1A5FU93LEjadiQr2.bat

Filesize
25B

MD5
e2d229f9984a950c6eaff0044fea0bae

SHA1
d5277c12ca713e30b012b50113c67df7610363ed

SHA256
67888d8ba5f06a23312516c505470a517b8ed91e96fa982b98fe46279061072d

SHA512
91b789ab925f9ebbe5f7473552fa8f1ce51f0bd1e030c22432fcefe6307fb778556ee5528038faecb38b0a7fcec45bee7248904d425fde38694e711da7eac99f

Download Submit
C:\blockwin\Uey4G9jLOu96Ny61Odc6qMzirlqd.vbe

Filesize
211B

MD5
3f857d8f136f4c8325296f1046d98c50

SHA1
5195a4df467a86620605b389d15b80d47e7ff8f9

SHA256
9a508ed5788b05d9be357691206a98931bc1cbe1f008f73a98ea9a67f5299614

SHA512
24390db1329412da00def04a7b6374f09f7bc48e23f7076715ebfa83c3fa3eb54446449a68acc88e51d0b2bd6756fa08c144a073a944166861bbb337e1cc15cd

Download Submit
C:\blockwin\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\blockwin\perfNet.exe

Filesize
3.2MB

MD5
eac85329879a44b0afd749095a2244ba

SHA1
f3b77b7d567770d8a7b1c31b065845c53d31227a

SHA256
572c9219476ef031a339820b86e3b63b709cccd4d7b856d05d83a1a9b4e4e7b9

SHA512
be1b3bc60185f83473a1b929042767256e545521f5bbbb34b877a32e963f134bf2f842e54fd2c6f6c395b732055559379ce90efe6c466751c6e618c3c9ae709a

Download Submit
memory/900-36-0x000000007523E000-0x000000007523F000-memory.dmp

Filesize
4KB

Download
memory/900-0-0x000000007523E000-0x000000007523F000-memory.dmp

Filesize
4KB

Download
memory/900-233-0x0000000075230000-0x00000000759E1000-memory.dmp

Filesize
7.7MB

Download
memory/900-2-0x0000000075230000-0x00000000759E1000-memory.dmp

Filesize
7.7MB

Download
memory/900-1-0x0000000000E80000-0x0000000000E8A000-memory.dmp

Filesize
40KB

Download
memory/900-51-0x0000000075230000-0x00000000759E1000-memory.dmp

Filesize
7.7MB

Download
memory/1592-154-0x000000001C2B0000-0x000000001C2B8000-memory.dmp

Filesize
32KB

Download
memory/1592-158-0x000000001C460000-0x000000001C46C000-memory.dmp

Filesize
48KB

Download
memory/1592-168-0x000000001C700000-0x000000001C70C000-memory.dmp

Filesize
48KB

Download
memory/1592-167-0x000000001C6F0000-0x000000001C6FA000-memory.dmp

Filesize
40KB

Download
memory/1592-165-0x000000001C6D0000-0x000000001C6D8000-memory.dmp

Filesize
32KB

Download
memory/1592-166-0x000000001C6E0000-0x000000001C6E8000-memory.dmp

Filesize
32KB

Download
memory/1592-161-0x000000001C690000-0x000000001C69A000-memory.dmp

Filesize
40KB

Download
memory/1592-162-0x000000001C6A0000-0x000000001C6AE000-memory.dmp

Filesize
56KB

Download
memory/1592-163-0x000000001C6B0000-0x000000001C6B8000-memory.dmp

Filesize
32KB

Download
memory/1592-164-0x000000001C6C0000-0x000000001C6CE000-memory.dmp

Filesize
56KB

Download
memory/1592-160-0x000000001C680000-0x000000001C68C000-memory.dmp

Filesize
48KB

Download
memory/1592-159-0x000000001C670000-0x000000001C678000-memory.dmp

Filesize
32KB

Download
memory/1592-155-0x000000001C430000-0x000000001C43C000-memory.dmp

Filesize
48KB

Download
memory/1592-157-0x000000001C450000-0x000000001C45C000-memory.dmp

Filesize
48KB

Download
memory/1592-156-0x000000001C440000-0x000000001C448000-memory.dmp

Filesize
32KB

Download
memory/1592-153-0x000000001C960000-0x000000001CE88000-memory.dmp

Filesize
5.2MB

Download
memory/1592-151-0x000000001C290000-0x000000001C298000-memory.dmp

Filesize
32KB

Download
memory/1592-152-0x000000001C2A0000-0x000000001C2B2000-memory.dmp

Filesize
72KB

Download
memory/1592-150-0x000000001C280000-0x000000001C28C000-memory.dmp

Filesize
48KB

Download
memory/1592-149-0x000000001BA10000-0x000000001BA18000-memory.dmp

Filesize
32KB

Download
memory/1592-148-0x000000001BA00000-0x000000001BA0C000-memory.dmp

Filesize
48KB

Download
memory/1592-147-0x000000001C3C0000-0x000000001C416000-memory.dmp

Filesize
344KB

Download
memory/1592-146-0x000000001B9F0000-0x000000001B9FA000-memory.dmp

Filesize
40KB

Download
memory/1592-144-0x0000000002F10000-0x0000000002F18000-memory.dmp

Filesize
32KB

Download
memory/1592-145-0x0000000002F70000-0x0000000002F80000-memory.dmp

Filesize
64KB

Download
memory/1592-143-0x000000001B9E0000-0x000000001B9EC000-memory.dmp

Filesize
48KB

Download
memory/1592-138-0x0000000002F20000-0x0000000002F70000-memory.dmp

Filesize
320KB

Download
memory/1592-142-0x0000000002F80000-0x0000000002F92000-memory.dmp

Filesize
72KB

Download
memory/1592-140-0x0000000002EE0000-0x0000000002EF6000-memory.dmp

Filesize
88KB

Download
memory/1592-141-0x0000000002F00000-0x0000000002F08000-memory.dmp

Filesize
32KB

Download
memory/1592-133-0x0000000000890000-0x0000000000BCE000-memory.dmp

Filesize
3.2MB

Download
memory/1592-134-0x0000000001580000-0x000000000158E000-memory.dmp

Filesize
56KB

Download
memory/1592-135-0x0000000001590000-0x000000000159E000-memory.dmp

Filesize
56KB

Download
memory/1592-136-0x00000000015F0000-0x00000000015F8000-memory.dmp

Filesize
32KB

Download
memory/1592-137-0x0000000002EB0000-0x0000000002ECC000-memory.dmp

Filesize
112KB

Download
memory/1592-139-0x0000000002ED0000-0x0000000002ED8000-memory.dmp

Filesize
32KB

Download
memory/1648-70-0x0000000007C80000-0x0000000007C88000-memory.dmp

Filesize
32KB

Download
memory/1648-49-0x0000000007810000-0x00000000078B4000-memory.dmp

Filesize
656KB

Download
memory/1648-50-0x0000000075230000-0x00000000759E1000-memory.dmp

Filesize
7.7MB

Download
memory/1648-20-0x0000000006140000-0x0000000006497000-memory.dmp

Filesize
3.3MB

Download
memory/1648-21-0x00000000065F0000-0x000000000660E000-memory.dmp

Filesize
120KB

Download
memory/1648-5-0x0000000003130000-0x0000000003166000-memory.dmp

Filesize
216KB

Download
memory/1648-22-0x0000000006640000-0x000000000668C000-memory.dmp

Filesize
304KB

Download
memory/1648-7-0x0000000005B10000-0x000000000613A000-memory.dmp

Filesize
6.2MB

Download
memory/1648-6-0x0000000075230000-0x00000000759E1000-memory.dmp

Filesize
7.7MB

Download
memory/1648-47-0x0000000006BE0000-0x0000000006BFE000-memory.dmp

Filesize
120KB

Download
memory/1648-9-0x0000000005910000-0x0000000005976000-memory.dmp

Filesize
408KB

Download
memory/1648-73-0x0000000075230000-0x00000000759E1000-memory.dmp

Filesize
7.7MB

Download
memory/1648-19-0x0000000075230000-0x00000000759E1000-memory.dmp

Filesize
7.7MB

Download
memory/1648-8-0x0000000005670000-0x0000000005692000-memory.dmp

Filesize
136KB

Download
memory/1648-55-0x00000000079C0000-0x00000000079CA000-memory.dmp

Filesize
40KB

Download
memory/1648-10-0x0000000005980000-0x00000000059E6000-memory.dmp

Filesize
408KB

Download
memory/1648-67-0x0000000007B80000-0x0000000007B8E000-memory.dmp

Filesize
56KB

Download
memory/1648-48-0x0000000075230000-0x00000000759E1000-memory.dmp

Filesize
7.7MB

Download
memory/1648-57-0x0000000007B50000-0x0000000007B61000-memory.dmp

Filesize
68KB

Download
memory/1648-37-0x00000000075D0000-0x0000000007604000-memory.dmp

Filesize
208KB

Download
memory/1648-56-0x0000000007BD0000-0x0000000007C66000-memory.dmp

Filesize
600KB

Download
memory/1648-68-0x0000000007B90000-0x0000000007BA5000-memory.dmp

Filesize
84KB

Download
memory/1648-54-0x0000000007940000-0x000000000795A000-memory.dmp

Filesize
104KB

Download
memory/1648-53-0x0000000007F90000-0x000000000860A000-memory.dmp

Filesize
6.5MB

Download
memory/1648-52-0x0000000075230000-0x00000000759E1000-memory.dmp

Filesize
7.7MB

Download
memory/1648-38-0x0000000070DF0000-0x0000000070E3C000-memory.dmp

Filesize
304KB

Download
memory/1648-69-0x0000000007C90000-0x0000000007CAA000-memory.dmp

Filesize
104KB

Download
memory/2436-35-0x0000000075230000-0x00000000759E1000-memory.dmp

Filesize
7.7MB

Download
memory/2436-58-0x0000000070DF0000-0x0000000070E3C000-memory.dmp

Filesize
304KB

Download
memory/2436-26-0x0000000075230000-0x00000000759E1000-memory.dmp

Filesize
7.7MB

Download
memory/2436-77-0x0000000075230000-0x00000000759E1000-memory.dmp

Filesize
7.7MB

Download
memory/2436-25-0x0000000075230000-0x00000000759E1000-memory.dmp

Filesize
7.7MB

Download
memory/3524-231-0x000000001BB80000-0x000000001BB92000-memory.dmp

Filesize
72KB

Download
memory/3524-248-0x000000001DFB0000-0x000000001E172000-memory.dmp

Filesize
1.8MB

Download
memory/3524-254-0x000000001D9D0000-0x000000001DA16000-memory.dmp

Filesize
280KB

Download
memory/3524-258-0x000000001D480000-0x000000001D48B000-memory.dmp

Filesize
44KB

Download
memory/3524-257-0x000000001DA20000-0x000000001DA3E000-memory.dmp

Filesize
120KB

Download
memory/3524-256-0x000000001C2A0000-0x000000001C2AD000-memory.dmp

Filesize
52KB

Download
memory/3524-255-0x0000000002680000-0x0000000002689000-memory.dmp

Filesize
36KB

Download
memory/5004-92-0x0000000000C00000-0x0000000000C7C000-memory.dmp

Filesize
496KB

Download