dcrat | fd198cf3ef764ffa17e7bd465d666057804a25ed5c6061074c0de7b6df43a667

Analysis

max time kernel
126s
max time network
163s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2eff63cdfbb658f2a6e69851e7de131a.exe
Size

5.9MB
MD5

2eff63cdfbb658f2a6e69851e7de131a
SHA1

8a9e262a7319d2699cbee02b9de83fecd4bb3457
SHA256

5174e6fefa2a518cdaadb75f07a9bb7f9aaa6e0e24ba1610d3e400036cf02900
SHA512

3e3ea7e36e9dbaa5a969846f575f5138ba416a88bdc07f1e99af66a6c18a458434c680ade203dda242be3aa10c02c21e3f9427ad39ef90b72cc03855ddc93e40
SSDEEP

98304:hyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4T:hyeU11Rvqmu8TWKnF6N/1wO

Score

10^/10

dcrat defense_evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	284	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	2236	schtasks.exe	30

UAC bypass 3 TTPs 12 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	2eff63cdfbb658f2a6e69851e7de131a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2eff63cdfbb658f2a6e69851e7de131a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2eff63cdfbb658f2a6e69851e7de131a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2364	powershell.exe
2384	powershell.exe
2084	powershell.exe
2024	powershell.exe
1936	powershell.exe
2352	powershell.exe
2368	powershell.exe
2204	powershell.exe
1792	powershell.exe
1488	powershell.exe
2088	powershell.exe
2376	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	2eff63cdfbb658f2a6e69851e7de131a.exe

Executes dropped EXE 3 IoCs

pid	Process
2784	System.exe
1576	System.exe
2752	System.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2eff63cdfbb658f2a6e69851e7de131a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2eff63cdfbb658f2a6e69851e7de131a.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
2652	2eff63cdfbb658f2a6e69851e7de131a.exe
2652	2eff63cdfbb658f2a6e69851e7de131a.exe
2784	System.exe
2784	System.exe
1576	System.exe
1576	System.exe
2752	System.exe
2752	System.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX42ED.tmp	2eff63cdfbb658f2a6e69851e7de131a.exe
File created	C:\Program Files (x86)\Windows Portable Devices\smss.exe	2eff63cdfbb658f2a6e69851e7de131a.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\smss.exe	2eff63cdfbb658f2a6e69851e7de131a.exe
File created	C:\Program Files (x86)\Windows Portable Devices\69ddcba757bf72	2eff63cdfbb658f2a6e69851e7de131a.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX4250.tmp	2eff63cdfbb658f2a6e69851e7de131a.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\es-ES\1610b97d3ab4a7	2eff63cdfbb658f2a6e69851e7de131a.exe
File opened for modification	C:\Windows\es-ES\RCX4A33.tmp	2eff63cdfbb658f2a6e69851e7de131a.exe
File opened for modification	C:\Windows\es-ES\OSPPSVC.exe	2eff63cdfbb658f2a6e69851e7de131a.exe
File created	C:\Windows\Media\Festival\sppsvc.exe	2eff63cdfbb658f2a6e69851e7de131a.exe
File opened for modification	C:\Windows\Media\Festival\RCX4500.tmp	2eff63cdfbb658f2a6e69851e7de131a.exe
File opened for modification	C:\Windows\Media\Festival\RCX4501.tmp	2eff63cdfbb658f2a6e69851e7de131a.exe
File opened for modification	C:\Windows\Media\Festival\sppsvc.exe	2eff63cdfbb658f2a6e69851e7de131a.exe
File opened for modification	C:\Windows\es-ES\RCX49B5.tmp	2eff63cdfbb658f2a6e69851e7de131a.exe
File created	C:\Windows\Media\Festival\0a1fd5f707cd16	2eff63cdfbb658f2a6e69851e7de131a.exe
File created	C:\Windows\es-ES\OSPPSVC.exe	2eff63cdfbb658f2a6e69851e7de131a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
284	schtasks.exe
1276	schtasks.exe
1208	schtasks.exe
1000	schtasks.exe
2988	schtasks.exe
2856	schtasks.exe
328	schtasks.exe
1808	schtasks.exe
1972	schtasks.exe
2912	schtasks.exe
696	schtasks.exe
1664	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2652	2eff63cdfbb658f2a6e69851e7de131a.exe
2652	2eff63cdfbb658f2a6e69851e7de131a.exe
2652	2eff63cdfbb658f2a6e69851e7de131a.exe
2652	2eff63cdfbb658f2a6e69851e7de131a.exe
2652	2eff63cdfbb658f2a6e69851e7de131a.exe
2652	2eff63cdfbb658f2a6e69851e7de131a.exe
2652	2eff63cdfbb658f2a6e69851e7de131a.exe
2652	2eff63cdfbb658f2a6e69851e7de131a.exe
2652	2eff63cdfbb658f2a6e69851e7de131a.exe
2652	2eff63cdfbb658f2a6e69851e7de131a.exe
2652	2eff63cdfbb658f2a6e69851e7de131a.exe
2652	2eff63cdfbb658f2a6e69851e7de131a.exe
2652	2eff63cdfbb658f2a6e69851e7de131a.exe
2652	2eff63cdfbb658f2a6e69851e7de131a.exe
2652	2eff63cdfbb658f2a6e69851e7de131a.exe
2652	2eff63cdfbb658f2a6e69851e7de131a.exe
2652	2eff63cdfbb658f2a6e69851e7de131a.exe
2652	2eff63cdfbb658f2a6e69851e7de131a.exe
2652	2eff63cdfbb658f2a6e69851e7de131a.exe
2384	powershell.exe
1936	powershell.exe
2368	powershell.exe
2652	2eff63cdfbb658f2a6e69851e7de131a.exe
1792	powershell.exe
2652	2eff63cdfbb658f2a6e69851e7de131a.exe
2352	powershell.exe
2376	powershell.exe
2364	powershell.exe
2088	powershell.exe
2204	powershell.exe
2084	powershell.exe
2024	powershell.exe
2652	2eff63cdfbb658f2a6e69851e7de131a.exe
1488	powershell.exe
2652	2eff63cdfbb658f2a6e69851e7de131a.exe
2784	System.exe
2784	System.exe
2784	System.exe
2784	System.exe
2784	System.exe
2784	System.exe
2784	System.exe
2784	System.exe
2784	System.exe
2784	System.exe
2784	System.exe
2784	System.exe
2784	System.exe
2784	System.exe
2784	System.exe
2784	System.exe
2784	System.exe
2784	System.exe
2784	System.exe
2784	System.exe
2784	System.exe
2784	System.exe
2784	System.exe
2784	System.exe
2784	System.exe
2784	System.exe
2784	System.exe
2784	System.exe
2784	System.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2652	2eff63cdfbb658f2a6e69851e7de131a.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	2784	System.exe
Token: SeDebugPrivilege	1576	System.exe
Token: SeDebugPrivilege	2752	System.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2368	2652	2eff63cdfbb658f2a6e69851e7de131a.exe	43
PID 2652 wrote to memory of 2368	2652	2eff63cdfbb658f2a6e69851e7de131a.exe	43
PID 2652 wrote to memory of 2368	2652	2eff63cdfbb658f2a6e69851e7de131a.exe	43
PID 2652 wrote to memory of 2352	2652	2eff63cdfbb658f2a6e69851e7de131a.exe	44
PID 2652 wrote to memory of 2352	2652	2eff63cdfbb658f2a6e69851e7de131a.exe	44
PID 2652 wrote to memory of 2352	2652	2eff63cdfbb658f2a6e69851e7de131a.exe	44
PID 2652 wrote to memory of 1936	2652	2eff63cdfbb658f2a6e69851e7de131a.exe	46
PID 2652 wrote to memory of 1936	2652	2eff63cdfbb658f2a6e69851e7de131a.exe	46
PID 2652 wrote to memory of 1936	2652	2eff63cdfbb658f2a6e69851e7de131a.exe	46
PID 2652 wrote to memory of 2084	2652	2eff63cdfbb658f2a6e69851e7de131a.exe	47
PID 2652 wrote to memory of 2084	2652	2eff63cdfbb658f2a6e69851e7de131a.exe	47
PID 2652 wrote to memory of 2084	2652	2eff63cdfbb658f2a6e69851e7de131a.exe	47
PID 2652 wrote to memory of 2384	2652	2eff63cdfbb658f2a6e69851e7de131a.exe	49
PID 2652 wrote to memory of 2384	2652	2eff63cdfbb658f2a6e69851e7de131a.exe	49
PID 2652 wrote to memory of 2384	2652	2eff63cdfbb658f2a6e69851e7de131a.exe	49
PID 2652 wrote to memory of 2364	2652	2eff63cdfbb658f2a6e69851e7de131a.exe	51
PID 2652 wrote to memory of 2364	2652	2eff63cdfbb658f2a6e69851e7de131a.exe	51
PID 2652 wrote to memory of 2364	2652	2eff63cdfbb658f2a6e69851e7de131a.exe	51
PID 2652 wrote to memory of 2376	2652	2eff63cdfbb658f2a6e69851e7de131a.exe	52
PID 2652 wrote to memory of 2376	2652	2eff63cdfbb658f2a6e69851e7de131a.exe	52
PID 2652 wrote to memory of 2376	2652	2eff63cdfbb658f2a6e69851e7de131a.exe	52
PID 2652 wrote to memory of 2088	2652	2eff63cdfbb658f2a6e69851e7de131a.exe	53
PID 2652 wrote to memory of 2088	2652	2eff63cdfbb658f2a6e69851e7de131a.exe	53
PID 2652 wrote to memory of 2088	2652	2eff63cdfbb658f2a6e69851e7de131a.exe	53
PID 2652 wrote to memory of 1488	2652	2eff63cdfbb658f2a6e69851e7de131a.exe	54
PID 2652 wrote to memory of 1488	2652	2eff63cdfbb658f2a6e69851e7de131a.exe	54
PID 2652 wrote to memory of 1488	2652	2eff63cdfbb658f2a6e69851e7de131a.exe	54
PID 2652 wrote to memory of 1792	2652	2eff63cdfbb658f2a6e69851e7de131a.exe	55
PID 2652 wrote to memory of 1792	2652	2eff63cdfbb658f2a6e69851e7de131a.exe	55
PID 2652 wrote to memory of 1792	2652	2eff63cdfbb658f2a6e69851e7de131a.exe	55
PID 2652 wrote to memory of 2024	2652	2eff63cdfbb658f2a6e69851e7de131a.exe	56
PID 2652 wrote to memory of 2024	2652	2eff63cdfbb658f2a6e69851e7de131a.exe	56
PID 2652 wrote to memory of 2024	2652	2eff63cdfbb658f2a6e69851e7de131a.exe	56
PID 2652 wrote to memory of 2204	2652	2eff63cdfbb658f2a6e69851e7de131a.exe	57
PID 2652 wrote to memory of 2204	2652	2eff63cdfbb658f2a6e69851e7de131a.exe	57
PID 2652 wrote to memory of 2204	2652	2eff63cdfbb658f2a6e69851e7de131a.exe	57
PID 2652 wrote to memory of 2784	2652	2eff63cdfbb658f2a6e69851e7de131a.exe	67
PID 2652 wrote to memory of 2784	2652	2eff63cdfbb658f2a6e69851e7de131a.exe	67
PID 2652 wrote to memory of 2784	2652	2eff63cdfbb658f2a6e69851e7de131a.exe	67
PID 2784 wrote to memory of 2040	2784	System.exe	68
PID 2784 wrote to memory of 2040	2784	System.exe	68
PID 2784 wrote to memory of 2040	2784	System.exe	68
PID 2784 wrote to memory of 1128	2784	System.exe	69
PID 2784 wrote to memory of 1128	2784	System.exe	69
PID 2784 wrote to memory of 1128	2784	System.exe	69
PID 2040 wrote to memory of 1576	2040	WScript.exe	70
PID 2040 wrote to memory of 1576	2040	WScript.exe	70
PID 2040 wrote to memory of 1576	2040	WScript.exe	70
PID 1576 wrote to memory of 1764	1576	System.exe	71
PID 1576 wrote to memory of 1764	1576	System.exe	71
PID 1576 wrote to memory of 1764	1576	System.exe	71
PID 1576 wrote to memory of 1912	1576	System.exe	72
PID 1576 wrote to memory of 1912	1576	System.exe	72
PID 1576 wrote to memory of 1912	1576	System.exe	72
PID 1764 wrote to memory of 2752	1764	WScript.exe	73
PID 1764 wrote to memory of 2752	1764	WScript.exe	73
PID 1764 wrote to memory of 2752	1764	WScript.exe	73
PID 2752 wrote to memory of 2900	2752	System.exe	74
PID 2752 wrote to memory of 2900	2752	System.exe	74
PID 2752 wrote to memory of 2900	2752	System.exe	74
PID 2752 wrote to memory of 2240	2752	System.exe	75
PID 2752 wrote to memory of 2240	2752	System.exe	75
PID 2752 wrote to memory of 2240	2752	System.exe	75

System policy modification 1 TTPs 12 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2eff63cdfbb658f2a6e69851e7de131a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	2eff63cdfbb658f2a6e69851e7de131a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2eff63cdfbb658f2a6e69851e7de131a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2eff63cdfbb658f2a6e69851e7de131a.exe
"C:\Users\Admin\AppData\Local\Temp\2eff63cdfbb658f2a6e69851e7de131a.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2204
- C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe
  "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2784
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d29e95c6-f80d-4963-86c8-f26138dc3589.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe
      "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1576
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76499886-3c63-4df2-965d-3a8d3ca60468.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1764
      - C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ba3701d-4c4e-4454-87d5-f023789a88e7.vbs"
        7⤵
        
        PID:2900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfc4d626-a188-4ebc-8730-2b4058f6aecb.vbs"
        7⤵
        
        PID:2240
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\feda59ff-ab8c-4d6d-a014-cbdf90efe8ac.vbs"
        5⤵
        
        PID:1912
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\900324e8-e40c-41ec-a7b5-4e2c1a277fff.vbs"
    3⤵
    PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\Media\Festival\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Media\Festival\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\Media\Festival\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Windows\es-ES\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\es-ES\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Windows\es-ES\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe

Filesize
5.9MB

MD5
ba996abfcc5b7e790b7cca2a6799f15f

SHA1
54300ef87e44b9eee6995382273155ce5a1cdc02

SHA256
c6009a8c84497242ba69f7a46c7d54938a62a2ed597591dd14075c17068e42f7

SHA512
28445b65884db6a1b1e5573fc477103bd7c3659d6740ec864d27d411d1e2eb46576402f41acec7f79bc6c898f02e1a575d64f4bdd49b9d90e4f90a26d5862225

Download Submit
C:\Program Files (x86)\Windows Portable Devices\smss.exe

Filesize
5.9MB

MD5
630ebb42e45916caa79f7d98a857c5dc

SHA1
7012ec4dddec00dbcd264cfd099c925de8f0c1f9

SHA256
d286677c83c772337596a6926b88f84777aa6b4b7eec81d4faa49720bc25488b

SHA512
a9e133f1004ba911534904f21bd1f489828f265d0fc1c1193a81c3d8d0dd4ab396ca9dd40df3fc987b81f19733d338c7e88631306d73af324686c4534d5422a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ba3701d-4c4e-4454-87d5-f023789a88e7.vbs

Filesize
749B

MD5
2f0ce5d340c7a8eb7348bb794b1ff6e5

SHA1
b7e20792fca4be2ad00624dc0b733ff50d39a47a

SHA256
60e6a0fa7f20b0b3260acfaca1fa464fb07b3e44091001bf038255ccd540310e

SHA512
d5a49b5b7cc04e2e9d145e8d654e066ad5ade1c382027f94c269cc7ba6a8fe181e1aa9a19cd9cecda954c12c6cb3505391840a7e5af9fe6df5574d195f04a804

Download Submit
C:\Users\Admin\AppData\Local\Temp\76499886-3c63-4df2-965d-3a8d3ca60468.vbs

Filesize
749B

MD5
6818952eca1c4f567806d477395b9c95

SHA1
7ca6261d8057b12726002a2aaac0c6fba55fac3d

SHA256
880466b32bcccddff43221ac79e8a43ab3763d56b824afea308bc080fe661a01

SHA512
55872e92381ef1d088d72aae8a152e168572df686b4ed497a42ff48403581f15332dfd734ed392e223a4fafff01a0cd248b767d6913af78c1d1017e87a02877f

Download Submit
C:\Users\Admin\AppData\Local\Temp\900324e8-e40c-41ec-a7b5-4e2c1a277fff.vbs

Filesize
525B

MD5
2bca4b3efa74b850a08a7bbd0ca2d817

SHA1
a44fe464153ee0dacd092491ace259aa12169202

SHA256
e6503c9e2ca05a7f21c4c532c987c1fd6a5d31f6ab8230c50fbdcc70639d81eb

SHA512
ff4bbfa021360186dd2ec60e061431d556865238d3aef51c8271fa405cdc844998ec84e65c564bc71d132be29d80b147228a02899be93a90a8d88749e05abbc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCX402D.tmp

Filesize
5.9MB

MD5
2eff63cdfbb658f2a6e69851e7de131a

SHA1
8a9e262a7319d2699cbee02b9de83fecd4bb3457

SHA256
5174e6fefa2a518cdaadb75f07a9bb7f9aaa6e0e24ba1610d3e400036cf02900

SHA512
3e3ea7e36e9dbaa5a969846f575f5138ba416a88bdc07f1e99af66a6c18a458434c680ade203dda242be3aa10c02c21e3f9427ad39ef90b72cc03855ddc93e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\d29e95c6-f80d-4963-86c8-f26138dc3589.vbs

Filesize
749B

MD5
b510e5703c8b1ead88667e4b43ee9080

SHA1
dbda402d47607a018f93b827786a6d661acf6e76

SHA256
66af82e13dd5c7b82d434cdf80151b4f9ba43c8600ffecf8c427b8f834031a0b

SHA512
8b2978e7c3dffce3a161b93cf80295241034f6b472cc1958138ea55a126ec0791241721ee30b2d30b7f4dbcc6ff0f5e60f04e88917dfd6a0983dba3659f56b40

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d6d5e8506560f58b0a7a5b9a5c03852e

SHA1
58c57f6ca8e152e1c5e80ee981837897f0edec00

SHA256
34b9912ef27ac4279910f8cde674b5a92e7f844e0590b97c18dd7931e22b7de4

SHA512
9e41f7742797f21d068b688f397e80a447decb557e3de6d220635f9e3a36839fc21188ea2950e01332363d6e2909f14c0cc4da92626a5ef3e807c0bcadf253f6

Download Submit
C:\Windows\es-ES\OSPPSVC.exe

Filesize
5.9MB

MD5
0c73858a3c5bd8459a410e019d13dde3

SHA1
15d29131f21555e5df6d74f6f1506204dd9656a6

SHA256
c738fb5446f85678e877b68a8aacf49bc7b514712caacbf96ca6e73a9d203539

SHA512
db4e0dd20113af75f753104db557c05c5c56397c952006a05e38ec9ca56150bf3ff8d31e9220d80f85011cf2f9937f3a09bc514a9f84d301b26b00eab12600f0

Download Submit
memory/1576-180-0x00000000000F0000-0x00000000009E8000-memory.dmp

Filesize
9.0MB

Download
memory/1576-182-0x0000000000E20000-0x0000000000E32000-memory.dmp

Filesize
72KB

Download
memory/1576-183-0x0000000002B80000-0x0000000002BD6000-memory.dmp

Filesize
344KB

Download
memory/2384-129-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/2384-128-0x000000001B500000-0x000000001B7E2000-memory.dmp

Filesize
2.9MB

Download
memory/2652-17-0x0000000000560000-0x00000000005B6000-memory.dmp

Filesize
344KB

Download
memory/2652-30-0x000000001B090000-0x000000001B09C000-memory.dmp

Filesize
48KB

Download
memory/2652-18-0x00000000005B0000-0x00000000005BC000-memory.dmp

Filesize
48KB

Download
memory/2652-13-0x0000000000530000-0x000000000053C000-memory.dmp

Filesize
48KB

Download
memory/2652-23-0x0000000002A80000-0x0000000002A92000-memory.dmp

Filesize
72KB

Download
memory/2652-21-0x0000000002A70000-0x0000000002A78000-memory.dmp

Filesize
32KB

Download
memory/2652-20-0x0000000000C50000-0x0000000000C5C000-memory.dmp

Filesize
48KB

Download
memory/2652-19-0x0000000000C40000-0x0000000000C48000-memory.dmp

Filesize
32KB

Download
memory/2652-25-0x0000000002B40000-0x0000000002B4C000-memory.dmp

Filesize
48KB

Download
memory/2652-26-0x0000000002B50000-0x0000000002B58000-memory.dmp

Filesize
32KB

Download
memory/2652-27-0x000000001B060000-0x000000001B06C000-memory.dmp

Filesize
48KB

Download
memory/2652-28-0x000000001B070000-0x000000001B07C000-memory.dmp

Filesize
48KB

Download
memory/2652-33-0x000000001B0C0000-0x000000001B0C8000-memory.dmp

Filesize
32KB

Download
memory/2652-39-0x000000001B570000-0x000000001B57C000-memory.dmp

Filesize
48KB

Download
memory/2652-38-0x000000001B560000-0x000000001B56A000-memory.dmp

Filesize
40KB

Download
memory/2652-37-0x000000001B550000-0x000000001B558000-memory.dmp

Filesize
32KB

Download
memory/2652-36-0x000000001B540000-0x000000001B54C000-memory.dmp

Filesize
48KB

Download
memory/2652-35-0x000000001B160000-0x000000001B168000-memory.dmp

Filesize
32KB

Download
memory/2652-34-0x000000001B150000-0x000000001B15E000-memory.dmp

Filesize
56KB

Download
memory/2652-32-0x000000001B0B0000-0x000000001B0BE000-memory.dmp

Filesize
56KB

Download
memory/2652-31-0x000000001B0A0000-0x000000001B0AA000-memory.dmp

Filesize
40KB

Download
memory/2652-14-0x0000000000500000-0x0000000000508000-memory.dmp

Filesize
32KB

Download
memory/2652-29-0x000000001B080000-0x000000001B088000-memory.dmp

Filesize
32KB

Download
memory/2652-24-0x0000000002A90000-0x0000000002A9C000-memory.dmp

Filesize
48KB

Download
memory/2652-6-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/2652-0-0x000007FEF5783000-0x000007FEF5784000-memory.dmp

Filesize
4KB

Download
memory/2652-16-0x0000000000550000-0x000000000055A000-memory.dmp

Filesize
40KB

Download
memory/2652-15-0x0000000000540000-0x0000000000550000-memory.dmp

Filesize
64KB

Download
memory/2652-7-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2652-10-0x00000000004D0000-0x00000000004E6000-memory.dmp

Filesize
88KB

Download
memory/2652-11-0x00000000004F0000-0x00000000004F8000-memory.dmp

Filesize
32KB

Download
memory/2652-12-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download
memory/2652-1-0x0000000000C60000-0x0000000001558000-memory.dmp

Filesize
9.0MB

Download
memory/2652-167-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/2652-2-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2652-8-0x0000000000420000-0x0000000000428000-memory.dmp

Filesize
32KB

Download
memory/2652-9-0x0000000000430000-0x0000000000440000-memory.dmp

Filesize
64KB

Download
memory/2652-5-0x00000000003E0000-0x00000000003EE000-memory.dmp

Filesize
56KB

Download
memory/2652-4-0x0000000000160000-0x000000000016E000-memory.dmp

Filesize
56KB

Download
memory/2652-3-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/2752-195-0x0000000000340000-0x0000000000C38000-memory.dmp

Filesize
9.0MB

Download
memory/2784-169-0x0000000002A40000-0x0000000002A52000-memory.dmp

Filesize
72KB

Download
memory/2784-166-0x0000000000D40000-0x0000000001638000-memory.dmp

Filesize
9.0MB

Download