dcrat | 9f09328091800505339ee1a9f01b6a7646ed60d2ed21808b5e171175f1723b6b

Resubmissions

07-02-2025 10:11

250207-l7w14axmbt 10

07-02-2025 08:56

250207-kwfz3axkfr 10

Analysis

max time kernel
30s
max time network
30s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
07-02-2025 10:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
Size

1.9MB
MD5

aae1c0e394855b9138d9d540a884eb1c
SHA1

76443a092ea47adebb55e663c8299c495dd9e324
SHA256

9f09328091800505339ee1a9f01b6a7646ed60d2ed21808b5e171175f1723b6b
SHA512

a3bda818e3c84e16ae7788ecf4bce9712ab23a152ff164a5cb4e3723e8145ad912cbdc7c2902bb937812e9335733e8252b015eef92d4745b17403a632cbf7322
SSDEEP

49152:HU7L1b7b3wCVJFpcHWhW8bLoym4ZEu9eBknBe6Y:HU7hbXAagWc8fo4ZESc6

Score

10^/10

dcrat execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Microsoft OneDrive\\setup\\taskhostw.exe\", \"C:\\Program Files\\Microsoft Office\\System.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Program Files (x86)\\Adobe\\upfc.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\""	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Microsoft OneDrive\\setup\\taskhostw.exe\", \"C:\\Program Files\\Microsoft Office\\System.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Program Files (x86)\\Adobe\\upfc.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe\""	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Microsoft OneDrive\\setup\\taskhostw.exe\""	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Microsoft OneDrive\\setup\\taskhostw.exe\", \"C:\\Program Files\\Microsoft Office\\System.exe\""	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Microsoft OneDrive\\setup\\taskhostw.exe\", \"C:\\Program Files\\Microsoft Office\\System.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\""	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Microsoft OneDrive\\setup\\taskhostw.exe\", \"C:\\Program Files\\Microsoft Office\\System.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Program Files (x86)\\Adobe\\upfc.exe\""	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2252	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	2252	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2252	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3644	2252	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2252	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2252	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	2252	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2252	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2252	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3684	2252	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4500	2252	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2252	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2252	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	2252	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	2252	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2252	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3336	2252	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4068	2252	schtasks.exe	87

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2464	powershell.exe
2092	powershell.exe
1392	powershell.exe
4968	powershell.exe
1932	powershell.exe
4524	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Control Panel\International\Geo\Nation	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe

Executes dropped EXE 1 IoCs

pid	Process
2448	TextInputHost.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Users\\All Users\\Microsoft OneDrive\\setup\\taskhostw.exe\""	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Users\\All Users\\Microsoft OneDrive\\setup\\taskhostw.exe\""	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\""	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\Adobe\\upfc.exe\""	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\Adobe\\upfc.exe\""	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9f09328091800505339ee1a9f01b6a7646ed60d2ed218 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe\""	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Microsoft Office\\System.exe\""	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Microsoft Office\\System.exe\""	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\""	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Recovery\\WindowsRE\\TextInputHost.exe\""	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Recovery\\WindowsRE\\TextInputHost.exe\""	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9f09328091800505339ee1a9f01b6a7646ed60d2ed218 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe\""	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ipinfo.io
20	ipinfo.io

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCF9085B6B5D34D5AA08D4698857D76B.TMP	csc.exe
File created	\??\c:\Windows\System32\2s3f_b.exe	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\upfc.exe	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
File created	C:\Program Files (x86)\Adobe\ea1d8f6d871115	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
File created	C:\Program Files\Microsoft Office\System.exe	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
File created	C:\Program Files\Microsoft Office\27d1bcfc3c54e0	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ImmersiveControlPanel\en-US\upfc.exe	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
File created	C:\Windows\LanguageOverlayCache\backgroundTaskHost.exe	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3684	schtasks.exe
964	schtasks.exe
4420	schtasks.exe
1732	schtasks.exe
1592	schtasks.exe
3644	schtasks.exe
2920	schtasks.exe
2080	schtasks.exe
3336	schtasks.exe
1868	schtasks.exe
4408	schtasks.exe
4500	schtasks.exe
2336	schtasks.exe
4060	schtasks.exe
4068	schtasks.exe
1776	schtasks.exe
2164	schtasks.exe
1252	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	4524	powershell.exe
Token: SeDebugPrivilege	4968	powershell.exe
Token: SeDebugPrivilege	2448	TextInputHost.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 1104	1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe	91
PID 1688 wrote to memory of 1104	1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe	91
PID 1104 wrote to memory of 4260	1104	csc.exe	93
PID 1104 wrote to memory of 4260	1104	csc.exe	93
PID 1688 wrote to memory of 4968	1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe	113
PID 1688 wrote to memory of 4968	1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe	113
PID 1688 wrote to memory of 1392	1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe	114
PID 1688 wrote to memory of 1392	1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe	114
PID 1688 wrote to memory of 2092	1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe	115
PID 1688 wrote to memory of 2092	1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe	115
PID 1688 wrote to memory of 2464	1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe	116
PID 1688 wrote to memory of 2464	1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe	116
PID 1688 wrote to memory of 4524	1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe	117
PID 1688 wrote to memory of 4524	1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe	117
PID 1688 wrote to memory of 1932	1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe	118
PID 1688 wrote to memory of 1932	1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe	118
PID 1688 wrote to memory of 1604	1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe	125
PID 1688 wrote to memory of 1604	1688	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe	125
PID 1604 wrote to memory of 2212	1604	cmd.exe	128
PID 1604 wrote to memory of 2212	1604	cmd.exe	128
PID 1604 wrote to memory of 1648	1604	cmd.exe	129
PID 1604 wrote to memory of 1648	1604	cmd.exe	129
PID 1604 wrote to memory of 2448	1604	cmd.exe	131
PID 1604 wrote to memory of 2448	1604	cmd.exe	131

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
"C:\Users\Admin\AppData\Local\Temp\9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bff3ualo\bff3ualo.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES212F.tmp" "c:\Windows\System32\CSCF9085B6B5D34D5AA08D4698857D76B.TMP"
    3⤵
    PID:4260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft OneDrive\setup\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1932
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xXxtRkiiGR.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2212
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1648
- - C:\Recovery\WindowsRE\TextInputHost.exe
    "C:\Recovery\WindowsRE\TextInputHost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\setup\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9f09328091800505339ee1a9f01b6a7646ed60d2ed2189" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9f09328091800505339ee1a9f01b6a7646ed60d2ed218" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9f09328091800505339ee1a9f01b6a7646ed60d2ed2189" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft OneDrive\setup\taskhostw.exe

Filesize
1.9MB

MD5
aae1c0e394855b9138d9d540a884eb1c

SHA1
76443a092ea47adebb55e663c8299c495dd9e324

SHA256
9f09328091800505339ee1a9f01b6a7646ed60d2ed21808b5e171175f1723b6b

SHA512
a3bda818e3c84e16ae7788ecf4bce9712ab23a152ff164a5cb4e3723e8145ad912cbdc7c2902bb937812e9335733e8252b015eef92d4745b17403a632cbf7322

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
089619ee1cc914333042a90988ea799b

SHA1
cb95423a4b577fffb24d92966c4ab56dbb8e9576

SHA256
d9509bad8f79551163a6aec1e0be2f8bcbee7214b4b5f6e067e8ced6b5175db1

SHA512
f777c685eda572e647c9bdfbf820006346b652723b6d4b69a78477408b0a9df823ec5c7050a34292e6310d04933afb406dd04ae714af86ea0a351458719105ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES212F.tmp

Filesize
1KB

MD5
0ceb7f1d77dc97c70f2d3445a533e74b

SHA1
00fad0431b36b82b32de2195c74521a4655152b6

SHA256
34d5b4e1218b96ec367d9deb26700a245179779c03a811a7ec395155888c79bb

SHA512
db4f2f2f89893fa52a0505b6d1548ad42a1bd1e7828288226d3ebcbd699f5aa4a23fa986686ae4dd5bd29aa65e3521d32550e939e8e09aa1fdd96bb8f9141397

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3rezl4fd.1zx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\xXxtRkiiGR.bat

Filesize
215B

MD5
2ca8cba431c49161b25c87b547c98d30

SHA1
30b7363826f198b83cb0fffce18b9865e8f9d9ad

SHA256
5d211489cb34bae4d4bd37527dafb0871bc6d2071fcd5dde2c6db94da70fef17

SHA512
d2010a9800d0314994a08f536e3f84b0e416fa7be179931a3b8e66d160bffea839f483bab061c7074c99b397928bc9900e5fea27ac4ab52bc56a896e559385a5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bff3ualo\bff3ualo.0.cs

Filesize
389B

MD5
7ee71ba3e9c72d7ff35df962dcdc503e

SHA1
142ef62e9fec6048913b44cca8c1f5e6f48bf97e

SHA256
ca52b9beb7a649cf71d4c99b25acd11652e8944b8e65339e37b6f81a2aabef84

SHA512
cf6874889ff30553832b58ae1a3508459222db39cfbdd76a82ced5c49d848b51af7986cc5057302a70761d82078a0f4ef4d7817cf4972c0aeda057b2e5c741a7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bff3ualo\bff3ualo.cmdline

Filesize
235B

MD5
799c8770e8f3517655fd2e746a54facd

SHA1
270ab41568e385b4826595eb44b40fa5f17fb9eb

SHA256
231eaa793fc4b2d529c6b4606cfaeade35aa795a205e5ad5b6fd9f11838e16d3

SHA512
adcc89bf4dfa1c9457bbb6e1a3abfd26a4b367943e368fa37d01b0ba23706e5772db30633e01e80699ba6d6f821290f2f8aa0623a0f2664d411b93165015a890

Download Submit
\??\c:\Windows\System32\CSCF9085B6B5D34D5AA08D4698857D76B.TMP

Filesize
1KB

MD5
2e6252ebbb9348e0b206bf200c9743ca

SHA1
603690120d9dd714588689835dcbef5a9993c0fa

SHA256
bcaeb1569fda645cd1a450d67ab14f0866b53a3c79f92ab15a63aeea2ba839be

SHA512
ce7a0806dfd0a3b658eab6dec7f476674bbf6ea526f3e40e6dc3d7094d5587f401f94d3e2278c1304904169e24f1a97e8467eb1b0cb082a831482fb8e1f26b77

Download Submit
memory/1392-64-0x000002738BC40000-0x000002738BC62000-memory.dmp

Filesize
136KB

Download
memory/1688-10-0x0000000002CE0000-0x0000000002D30000-memory.dmp

Filesize
320KB

Download
memory/1688-15-0x00007FFB585A0000-0x00007FFB59061000-memory.dmp

Filesize
10.8MB

Download
memory/1688-12-0x0000000002B50000-0x0000000002B68000-memory.dmp

Filesize
96KB

Download
memory/1688-19-0x0000000002B70000-0x0000000002B7C000-memory.dmp

Filesize
48KB

Download
memory/1688-32-0x00007FFB585A0000-0x00007FFB59061000-memory.dmp

Filesize
10.8MB

Download
memory/1688-33-0x00007FFB585A0000-0x00007FFB59061000-memory.dmp

Filesize
10.8MB

Download
memory/1688-34-0x00007FFB585A0000-0x00007FFB59061000-memory.dmp

Filesize
10.8MB

Download
memory/1688-35-0x00007FFB585A0000-0x00007FFB59061000-memory.dmp

Filesize
10.8MB

Download
memory/1688-38-0x00007FFB585A0000-0x00007FFB59061000-memory.dmp

Filesize
10.8MB

Download
memory/1688-40-0x00007FFB585A0000-0x00007FFB59061000-memory.dmp

Filesize
10.8MB

Download
memory/1688-14-0x00000000012E0000-0x00000000012EC000-memory.dmp

Filesize
48KB

Download
memory/1688-20-0x00007FFB585A0000-0x00007FFB59061000-memory.dmp

Filesize
10.8MB

Download
memory/1688-17-0x00000000012F0000-0x00000000012F8000-memory.dmp

Filesize
32KB

Download
memory/1688-0-0x00007FFB585A3000-0x00007FFB585A5000-memory.dmp

Filesize
8KB

Download
memory/1688-9-0x0000000002B30000-0x0000000002B4C000-memory.dmp

Filesize
112KB

Download
memory/1688-7-0x00007FFB585A0000-0x00007FFB59061000-memory.dmp

Filesize
10.8MB

Download
memory/1688-65-0x00007FFB585A0000-0x00007FFB59061000-memory.dmp

Filesize
10.8MB

Download
memory/1688-6-0x00000000012C0000-0x00000000012CE000-memory.dmp

Filesize
56KB

Download
memory/1688-4-0x00007FFB585A0000-0x00007FFB59061000-memory.dmp

Filesize
10.8MB

Download
memory/1688-3-0x00007FFB585A0000-0x00007FFB59061000-memory.dmp

Filesize
10.8MB

Download
memory/1688-2-0x00007FFB585A0000-0x00007FFB59061000-memory.dmp

Filesize
10.8MB

Download
memory/1688-1-0x0000000000810000-0x00000000009F4000-memory.dmp

Filesize
1.9MB

Download