dcrat | ce63ae9069832ff3b0f2eb76b384c40cd8b70987280d4cc07559493a2b5c04ff

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c948e42267877c379b01be5faa66926.exe
Size

5.9MB
MD5

4c948e42267877c379b01be5faa66926
SHA1

282254e3ab196c9810c8bdf74f3fe00977bfa120
SHA256

63a4873a5658c4de311b5952d39969115f434f90c14d18a991dbc475b03ce8a7
SHA512

776483f78e6f9634551ce06d87e8fad9a58afbd962d62eb6176f2e5d05bf3c77a026af2b2e0a36c22957141de18ce085e9084aafb0c3ca3436270395f6fc5612
SSDEEP

98304:hyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw47:hyeU11Rvqmu8TWKnF6N/1wK

Score

10^/10

dcrat defense_evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2620	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2620	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2620	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2620	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2620	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	2620	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	2620	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2620	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2620	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2620	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2620	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2620	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2620	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	2620	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2620	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	108	2620	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	2620	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	2620	schtasks.exe	29

UAC bypass 3 TTPs 12 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c948e42267877c379b01be5faa66926.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4c948e42267877c379b01be5faa66926.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4c948e42267877c379b01be5faa66926.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1632	powershell.exe
1464	powershell.exe
276	powershell.exe
1796	powershell.exe
684	powershell.exe
356	powershell.exe
576	powershell.exe
1520	powershell.exe
2996	powershell.exe
1864	powershell.exe
2516	powershell.exe
900	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	4c948e42267877c379b01be5faa66926.exe

Executes dropped EXE 3 IoCs

pid	Process
2480	taskhost.exe
3040	taskhost.exe
1584	taskhost.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4c948e42267877c379b01be5faa66926.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c948e42267877c379b01be5faa66926.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
1744	4c948e42267877c379b01be5faa66926.exe
1744	4c948e42267877c379b01be5faa66926.exe
2480	taskhost.exe
2480	taskhost.exe
3040	taskhost.exe
3040	taskhost.exe
1584	taskhost.exe
1584	taskhost.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\spoolsv.exe	4c948e42267877c379b01be5faa66926.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\f3b6ecef712a24	4c948e42267877c379b01be5faa66926.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\RCX9056.tmp	4c948e42267877c379b01be5faa66926.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\RCX9057.tmp	4c948e42267877c379b01be5faa66926.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\WmiPrvSE.exe	4c948e42267877c379b01be5faa66926.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\WmiPrvSE.exe	4c948e42267877c379b01be5faa66926.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\24dbde2999530e	4c948e42267877c379b01be5faa66926.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\RCX947F.tmp	4c948e42267877c379b01be5faa66926.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\RCX94FC.tmp	4c948e42267877c379b01be5faa66926.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\spoolsv.exe	4c948e42267877c379b01be5faa66926.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\PCHEALTH\RCX926B.tmp	4c948e42267877c379b01be5faa66926.exe
File created	C:\Windows\system\886983d96e3d3e	4c948e42267877c379b01be5faa66926.exe
File created	C:\Windows\PCHEALTH\System.exe	4c948e42267877c379b01be5faa66926.exe
File created	C:\Windows\PCHEALTH\27d1bcfc3c54e0	4c948e42267877c379b01be5faa66926.exe
File opened for modification	C:\Windows\PCHEALTH\System.exe	4c948e42267877c379b01be5faa66926.exe
File created	C:\Windows\system\csrss.exe	4c948e42267877c379b01be5faa66926.exe
File opened for modification	C:\Windows\system\RCX8E41.tmp	4c948e42267877c379b01be5faa66926.exe
File opened for modification	C:\Windows\system\RCX8E42.tmp	4c948e42267877c379b01be5faa66926.exe
File opened for modification	C:\Windows\system\csrss.exe	4c948e42267877c379b01be5faa66926.exe
File opened for modification	C:\Windows\PCHEALTH\RCX926A.tmp	4c948e42267877c379b01be5faa66926.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1000	schtasks.exe
1060	schtasks.exe
1452	schtasks.exe
2448	schtasks.exe
2464	schtasks.exe
2284	schtasks.exe
2288	schtasks.exe
1932	schtasks.exe
2944	schtasks.exe
2760	schtasks.exe
112	schtasks.exe
2272	schtasks.exe
1232	schtasks.exe
328	schtasks.exe
2056	schtasks.exe
772	schtasks.exe
2412	schtasks.exe
108	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1744	4c948e42267877c379b01be5faa66926.exe
1744	4c948e42267877c379b01be5faa66926.exe
1744	4c948e42267877c379b01be5faa66926.exe
1744	4c948e42267877c379b01be5faa66926.exe
1744	4c948e42267877c379b01be5faa66926.exe
1744	4c948e42267877c379b01be5faa66926.exe
1744	4c948e42267877c379b01be5faa66926.exe
1744	4c948e42267877c379b01be5faa66926.exe
1744	4c948e42267877c379b01be5faa66926.exe
1744	4c948e42267877c379b01be5faa66926.exe
1744	4c948e42267877c379b01be5faa66926.exe
1744	4c948e42267877c379b01be5faa66926.exe
1744	4c948e42267877c379b01be5faa66926.exe
1744	4c948e42267877c379b01be5faa66926.exe
1744	4c948e42267877c379b01be5faa66926.exe
1744	4c948e42267877c379b01be5faa66926.exe
1744	4c948e42267877c379b01be5faa66926.exe
1744	4c948e42267877c379b01be5faa66926.exe
1744	4c948e42267877c379b01be5faa66926.exe
1744	4c948e42267877c379b01be5faa66926.exe
1744	4c948e42267877c379b01be5faa66926.exe
1744	4c948e42267877c379b01be5faa66926.exe
1744	4c948e42267877c379b01be5faa66926.exe
576	powershell.exe
900	powershell.exe
1632	powershell.exe
1744	4c948e42267877c379b01be5faa66926.exe
1744	4c948e42267877c379b01be5faa66926.exe
276	powershell.exe
684	powershell.exe
1864	powershell.exe
2996	powershell.exe
1796	powershell.exe
1520	powershell.exe
356	powershell.exe
2516	powershell.exe
1464	powershell.exe
2480	taskhost.exe
2480	taskhost.exe
2480	taskhost.exe
2480	taskhost.exe
2480	taskhost.exe
2480	taskhost.exe
2480	taskhost.exe
2480	taskhost.exe
2480	taskhost.exe
2480	taskhost.exe
2480	taskhost.exe
2480	taskhost.exe
2480	taskhost.exe
2480	taskhost.exe
2480	taskhost.exe
2480	taskhost.exe
2480	taskhost.exe
2480	taskhost.exe
2480	taskhost.exe
2480	taskhost.exe
2480	taskhost.exe
2480	taskhost.exe
2480	taskhost.exe
2480	taskhost.exe
2480	taskhost.exe
2480	taskhost.exe
2480	taskhost.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1744	4c948e42267877c379b01be5faa66926.exe
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	900	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	276	powershell.exe
Token: SeDebugPrivilege	684	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	356	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	2480	taskhost.exe
Token: SeDebugPrivilege	3040	taskhost.exe
Token: SeDebugPrivilege	1584	taskhost.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 576	1744	4c948e42267877c379b01be5faa66926.exe	48
PID 1744 wrote to memory of 576	1744	4c948e42267877c379b01be5faa66926.exe	48
PID 1744 wrote to memory of 576	1744	4c948e42267877c379b01be5faa66926.exe	48
PID 1744 wrote to memory of 1632	1744	4c948e42267877c379b01be5faa66926.exe	49
PID 1744 wrote to memory of 1632	1744	4c948e42267877c379b01be5faa66926.exe	49
PID 1744 wrote to memory of 1632	1744	4c948e42267877c379b01be5faa66926.exe	49
PID 1744 wrote to memory of 356	1744	4c948e42267877c379b01be5faa66926.exe	51
PID 1744 wrote to memory of 356	1744	4c948e42267877c379b01be5faa66926.exe	51
PID 1744 wrote to memory of 356	1744	4c948e42267877c379b01be5faa66926.exe	51
PID 1744 wrote to memory of 1464	1744	4c948e42267877c379b01be5faa66926.exe	52
PID 1744 wrote to memory of 1464	1744	4c948e42267877c379b01be5faa66926.exe	52
PID 1744 wrote to memory of 1464	1744	4c948e42267877c379b01be5faa66926.exe	52
PID 1744 wrote to memory of 900	1744	4c948e42267877c379b01be5faa66926.exe	53
PID 1744 wrote to memory of 900	1744	4c948e42267877c379b01be5faa66926.exe	53
PID 1744 wrote to memory of 900	1744	4c948e42267877c379b01be5faa66926.exe	53
PID 1744 wrote to memory of 2516	1744	4c948e42267877c379b01be5faa66926.exe	55
PID 1744 wrote to memory of 2516	1744	4c948e42267877c379b01be5faa66926.exe	55
PID 1744 wrote to memory of 2516	1744	4c948e42267877c379b01be5faa66926.exe	55
PID 1744 wrote to memory of 684	1744	4c948e42267877c379b01be5faa66926.exe	57
PID 1744 wrote to memory of 684	1744	4c948e42267877c379b01be5faa66926.exe	57
PID 1744 wrote to memory of 684	1744	4c948e42267877c379b01be5faa66926.exe	57
PID 1744 wrote to memory of 1864	1744	4c948e42267877c379b01be5faa66926.exe	58
PID 1744 wrote to memory of 1864	1744	4c948e42267877c379b01be5faa66926.exe	58
PID 1744 wrote to memory of 1864	1744	4c948e42267877c379b01be5faa66926.exe	58
PID 1744 wrote to memory of 2996	1744	4c948e42267877c379b01be5faa66926.exe	60
PID 1744 wrote to memory of 2996	1744	4c948e42267877c379b01be5faa66926.exe	60
PID 1744 wrote to memory of 2996	1744	4c948e42267877c379b01be5faa66926.exe	60
PID 1744 wrote to memory of 1796	1744	4c948e42267877c379b01be5faa66926.exe	62
PID 1744 wrote to memory of 1796	1744	4c948e42267877c379b01be5faa66926.exe	62
PID 1744 wrote to memory of 1796	1744	4c948e42267877c379b01be5faa66926.exe	62
PID 1744 wrote to memory of 1520	1744	4c948e42267877c379b01be5faa66926.exe	64
PID 1744 wrote to memory of 1520	1744	4c948e42267877c379b01be5faa66926.exe	64
PID 1744 wrote to memory of 1520	1744	4c948e42267877c379b01be5faa66926.exe	64
PID 1744 wrote to memory of 276	1744	4c948e42267877c379b01be5faa66926.exe	65
PID 1744 wrote to memory of 276	1744	4c948e42267877c379b01be5faa66926.exe	65
PID 1744 wrote to memory of 276	1744	4c948e42267877c379b01be5faa66926.exe	65
PID 1744 wrote to memory of 2480	1744	4c948e42267877c379b01be5faa66926.exe	72
PID 1744 wrote to memory of 2480	1744	4c948e42267877c379b01be5faa66926.exe	72
PID 1744 wrote to memory of 2480	1744	4c948e42267877c379b01be5faa66926.exe	72
PID 2480 wrote to memory of 2180	2480	taskhost.exe	73
PID 2480 wrote to memory of 2180	2480	taskhost.exe	73
PID 2480 wrote to memory of 2180	2480	taskhost.exe	73
PID 2480 wrote to memory of 2096	2480	taskhost.exe	74
PID 2480 wrote to memory of 2096	2480	taskhost.exe	74
PID 2480 wrote to memory of 2096	2480	taskhost.exe	74
PID 2180 wrote to memory of 3040	2180	WScript.exe	75
PID 2180 wrote to memory of 3040	2180	WScript.exe	75
PID 2180 wrote to memory of 3040	2180	WScript.exe	75
PID 3040 wrote to memory of 2332	3040	taskhost.exe	76
PID 3040 wrote to memory of 2332	3040	taskhost.exe	76
PID 3040 wrote to memory of 2332	3040	taskhost.exe	76
PID 3040 wrote to memory of 2632	3040	taskhost.exe	77
PID 3040 wrote to memory of 2632	3040	taskhost.exe	77
PID 3040 wrote to memory of 2632	3040	taskhost.exe	77
PID 2332 wrote to memory of 1584	2332	WScript.exe	78
PID 2332 wrote to memory of 1584	2332	WScript.exe	78
PID 2332 wrote to memory of 1584	2332	WScript.exe	78
PID 1584 wrote to memory of 2588	1584	taskhost.exe	79
PID 1584 wrote to memory of 2588	1584	taskhost.exe	79
PID 1584 wrote to memory of 2588	1584	taskhost.exe	79
PID 1584 wrote to memory of 2268	1584	taskhost.exe	80
PID 1584 wrote to memory of 2268	1584	taskhost.exe	80
PID 1584 wrote to memory of 2268	1584	taskhost.exe	80

System policy modification 1 TTPs 12 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c948e42267877c379b01be5faa66926.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4c948e42267877c379b01be5faa66926.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4c948e42267877c379b01be5faa66926.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4c948e42267877c379b01be5faa66926.exe
"C:\Users\Admin\AppData\Local\Temp\4c948e42267877c379b01be5faa66926.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:276
- C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe
  "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2480
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f2f7c7b-a596-41c1-b95c-4a28ad553aa0.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe
      C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3040
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\757224aa-b812-4baf-8661-ca388a49ba41.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2332
      - C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db014481-c8ca-4e51-af84-5912c67be572.vbs"
        7⤵
        
        PID:2588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3683397a-33c3-418b-83a2-be6e31037460.vbs"
        7⤵
        
        PID:2268
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71e5858d-358e-4688-845b-404703284bc6.vbs"
        5⤵
        
        PID:2632
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15c38bc6-88b6-4a63-8693-63bc7803781b.vbs"
    3⤵
    PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\system\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\system\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\system\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\PCHEALTH\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\PCHEALTH\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Adobe\Updater6\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\Updater6\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Adobe\Updater6\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\services.exe

Filesize
5.9MB

MD5
8e389a2d683417d1a3b3d6f15002dfad

SHA1
5577324c1c238946f808605da35611a3c60b8d77

SHA256
9d0e05f41e9d926468993150937ccf30cc5f6b572e34f466a9983bea23435455

SHA512
a4f0c816ea7368be0466ba5739fe356b5460c930bb28de597922e9ad9b90cf713612ecda95b04028381934d77b34e770d4a010daec6ee792636b4cb695fd58e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\15c38bc6-88b6-4a63-8693-63bc7803781b.vbs

Filesize
513B

MD5
0ce86e29532e10dfd6121379d5857335

SHA1
b5242f3ab6528b7b992201ad5d4db3be627f8222

SHA256
42e03af162e7962865fe2ac174183e5b58fc846daee1e41d0f40d650ff8a6dc1

SHA512
f2ba8791ca81d075cccbcff4db9b95587932f5452f33935266da9560c8cda9e43fe302e6af3f058a101b3710c8c488e7936c070914267bda0f6ee0787b7de30f

Download Submit
C:\Users\Admin\AppData\Local\Temp\757224aa-b812-4baf-8661-ca388a49ba41.vbs

Filesize
737B

MD5
8cd48d5797991e373d738e674d8682f1

SHA1
76fe47a25f32c79fd90dece975f762dc8b9f4f13

SHA256
fc8aadf475d68ef30167a7d1caa2d1a82b35e205eff05c13c5f43e7f7db04550

SHA512
285a7407ef5a33f71e1b35543b081b623660dc32be88ac77ca3dc10294f134679c03428e57482b4922ddd59326fe784fd326a789b29ca450aa2bea03c7303568

Download Submit
C:\Users\Admin\AppData\Local\Temp\7f2f7c7b-a596-41c1-b95c-4a28ad553aa0.vbs

Filesize
737B

MD5
53018d5772d90c6d17ebf45f0c936c2d

SHA1
2b68505d2a86f36056dce639a1eab81d069298ac

SHA256
719458b708a9c8b760208cbd77c784ff33d35f6277402a38e8757d36551efe86

SHA512
3616622d937ad6aeb2c5f061c9a29f056082b0a04cc0ed147e24790d3c5b7781fbc4383bf5f3e437ff9940717dd887166c519a87de0bb840aa7e2df76c3ade73

Download Submit
C:\Users\Admin\AppData\Local\Temp\db014481-c8ca-4e51-af84-5912c67be572.vbs

Filesize
737B

MD5
87feefd19a249d52c0872d23c5ec244b

SHA1
e462b16b106817cac42e615cd11e0afcb5783e6a

SHA256
eab1a771f2d8a864d4e1a68ec74ab012430a59686d4c6089f1fbdfec7d16a320

SHA512
169d7eb46201090353cd5a040f5c9bce23b1067d87a45950b23a94b838984cda191bf824202266750898ce4dea2b3344e4ee74e7e768829a99a45e48bcf8feaf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
878c014e1acaed6816984b450a1fdd09

SHA1
56aae4acf5648170d39c8eaaeb698dd9a97f1550

SHA256
7bed139aa65b062c0de5f39fbe098b61a35d6c15798455cc48bd6631527e123b

SHA512
8626249a610375138391f2f0397b3043d6b075bd28dd1513dd0eb5635f550667053abd08b7b6ca04b7d0b9af7bcd04b678c918494a1079bf7fccdf8dec724d0b

Download Submit
C:\Windows\PCHEALTH\System.exe

Filesize
5.9MB

MD5
4c948e42267877c379b01be5faa66926

SHA1
282254e3ab196c9810c8bdf74f3fe00977bfa120

SHA256
63a4873a5658c4de311b5952d39969115f434f90c14d18a991dbc475b03ce8a7

SHA512
776483f78e6f9634551ce06d87e8fad9a58afbd962d62eb6176f2e5d05bf3c77a026af2b2e0a36c22957141de18ce085e9084aafb0c3ca3436270395f6fc5612

Download Submit
memory/900-149-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/900-138-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/1584-224-0x0000000000BF0000-0x0000000000C02000-memory.dmp

Filesize
72KB

Download
memory/1584-222-0x0000000000FD0000-0x00000000018C8000-memory.dmp

Filesize
9.0MB

Download
memory/1744-13-0x0000000000BB0000-0x0000000000BBC000-memory.dmp

Filesize
48KB

Download
memory/1744-33-0x000000001B9A0000-0x000000001B9A8000-memory.dmp

Filesize
32KB

Download
memory/1744-0-0x000007FEF64B3000-0x000007FEF64B4000-memory.dmp

Filesize
4KB

Download
memory/1744-14-0x0000000002A40000-0x0000000002A48000-memory.dmp

Filesize
32KB

Download
memory/1744-15-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/1744-16-0x0000000002A70000-0x0000000002A7A000-memory.dmp

Filesize
40KB

Download
memory/1744-17-0x000000001B030000-0x000000001B086000-memory.dmp

Filesize
344KB

Download
memory/1744-18-0x0000000002A80000-0x0000000002A8C000-memory.dmp

Filesize
48KB

Download
memory/1744-19-0x0000000002A90000-0x0000000002A98000-memory.dmp

Filesize
32KB

Download
memory/1744-20-0x0000000002B20000-0x0000000002B2C000-memory.dmp

Filesize
48KB

Download
memory/1744-21-0x0000000002B30000-0x0000000002B38000-memory.dmp

Filesize
32KB

Download
memory/1744-23-0x0000000002B40000-0x0000000002B52000-memory.dmp

Filesize
72KB

Download
memory/1744-24-0x000000001B080000-0x000000001B08C000-memory.dmp

Filesize
48KB

Download
memory/1744-25-0x000000001B090000-0x000000001B09C000-memory.dmp

Filesize
48KB

Download
memory/1744-26-0x000000001B0A0000-0x000000001B0A8000-memory.dmp

Filesize
32KB

Download
memory/1744-27-0x000000001B480000-0x000000001B48C000-memory.dmp

Filesize
48KB

Download
memory/1744-28-0x000000001B490000-0x000000001B49C000-memory.dmp

Filesize
48KB

Download
memory/1744-29-0x000000001B4A0000-0x000000001B4A8000-memory.dmp

Filesize
32KB

Download
memory/1744-30-0x000000001B4B0000-0x000000001B4BC000-memory.dmp

Filesize
48KB

Download
memory/1744-31-0x000000001B4C0000-0x000000001B4CA000-memory.dmp

Filesize
40KB

Download
memory/1744-32-0x000000001B4D0000-0x000000001B4DE000-memory.dmp

Filesize
56KB

Download
memory/1744-12-0x0000000002A50000-0x0000000002A62000-memory.dmp

Filesize
72KB

Download
memory/1744-34-0x000000001B9B0000-0x000000001B9BE000-memory.dmp

Filesize
56KB

Download
memory/1744-35-0x000000001BAC0000-0x000000001BAC8000-memory.dmp

Filesize
32KB

Download
memory/1744-36-0x000000001BAD0000-0x000000001BADC000-memory.dmp

Filesize
48KB

Download
memory/1744-37-0x000000001BAE0000-0x000000001BAE8000-memory.dmp

Filesize
32KB

Download
memory/1744-38-0x000000001BAF0000-0x000000001BAFA000-memory.dmp

Filesize
40KB

Download
memory/1744-39-0x000000001BC00000-0x000000001BC0C000-memory.dmp

Filesize
48KB

Download
memory/1744-11-0x0000000000B00000-0x0000000000B08000-memory.dmp

Filesize
32KB

Download
memory/1744-10-0x0000000000B90000-0x0000000000BA6000-memory.dmp

Filesize
88KB

Download
memory/1744-9-0x0000000000A70000-0x0000000000A80000-memory.dmp

Filesize
64KB

Download
memory/1744-8-0x00000000004A0000-0x00000000004A8000-memory.dmp

Filesize
32KB

Download
memory/1744-7-0x0000000000A50000-0x0000000000A6C000-memory.dmp

Filesize
112KB

Download
memory/1744-1-0x0000000000BC0000-0x00000000014B8000-memory.dmp

Filesize
9.0MB

Download
memory/1744-171-0x000007FEF64B0000-0x000007FEF6E9C000-memory.dmp

Filesize
9.9MB

Download
memory/1744-6-0x0000000000410000-0x0000000000418000-memory.dmp

Filesize
32KB

Download
memory/1744-5-0x00000000001E0000-0x00000000001EE000-memory.dmp

Filesize
56KB

Download
memory/1744-2-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1744-3-0x000007FEF64B0000-0x000007FEF6E9C000-memory.dmp

Filesize
9.9MB

Download
memory/1744-4-0x00000000001D0000-0x00000000001DE000-memory.dmp

Filesize
56KB

Download
memory/2480-169-0x0000000000020000-0x0000000000918000-memory.dmp

Filesize
9.0MB

Download
memory/3040-210-0x0000000001050000-0x00000000010A6000-memory.dmp

Filesize
344KB

Download
memory/3040-209-0x0000000000E90000-0x0000000000EA2000-memory.dmp

Filesize
72KB

Download
memory/3040-207-0x0000000000290000-0x0000000000B88000-memory.dmp

Filesize
9.0MB

Download