dcrat | 56eaeb544a5b324a1b498dc1839a346277ea0ba6840f6d5ceb898b823f14d2d5

Analysis

max time kernel
28s
max time network
20s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73d6911ed247a840f2f372a605a99407.exe
Size

1.1MB
MD5

73d6911ed247a840f2f372a605a99407
SHA1

595953dd65ceb6ce48af99d0e4533ac711681733
SHA256

e1dacd883b37c7e481b4fc643b5628e061155f7c4f37874907ac2c8a5e66d7c0
SHA512

ba7b325ca5ff67273ebe485904d7981f8d70b3b2e9647c2f702bb0e6f3058faf35d4fab1351deaadf8fb126517595766d7039ee56b97c21fff36a43026696544
SSDEEP

12288:amc4TfAkdN7TPPl2Eh8Nv6L1FMCubuoGTeh46qTnnCPQeB89hNuD1hOp1i3l10gR:ah4TbLUEhZL/GspeYhkc9Soh2SfwJ

Score

10^/10

dcrat defense_evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 8 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		73d6911ed247a840f2f372a605a99407.exe
File created	C:\Windows\fveupdate\7a0fd90576e088		73d6911ed247a840f2f372a605a99407.exe
		2744	schtasks.exe
		2848	schtasks.exe
		964	schtasks.exe
		2284	schtasks.exe
		2900	schtasks.exe
		2388	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\fveupdate\\explorer.exe\""	73d6911ed247a840f2f372a605a99407.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\fveupdate\\explorer.exe\", \"C:\\Windows\\System32\\vaultsvc\\sppsvc.exe\""	73d6911ed247a840f2f372a605a99407.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\fveupdate\\explorer.exe\", \"C:\\Windows\\System32\\vaultsvc\\sppsvc.exe\", \"C:\\Windows\\System32\\rasmbmgr\\sppsvc.exe\""	73d6911ed247a840f2f372a605a99407.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\fveupdate\\explorer.exe\", \"C:\\Windows\\System32\\vaultsvc\\sppsvc.exe\", \"C:\\Windows\\System32\\rasmbmgr\\sppsvc.exe\", \"C:\\Program Files\\Microsoft Games\\More Games\\ja-JP\\winlogon.exe\""	73d6911ed247a840f2f372a605a99407.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\fveupdate\\explorer.exe\", \"C:\\Windows\\System32\\vaultsvc\\sppsvc.exe\", \"C:\\Windows\\System32\\rasmbmgr\\sppsvc.exe\", \"C:\\Program Files\\Microsoft Games\\More Games\\ja-JP\\winlogon.exe\", \"C:\\Program Files\\Microsoft Games\\Mahjong\\fr-FR\\winlogon.exe\""	73d6911ed247a840f2f372a605a99407.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\fveupdate\\explorer.exe\", \"C:\\Windows\\System32\\vaultsvc\\sppsvc.exe\", \"C:\\Windows\\System32\\rasmbmgr\\sppsvc.exe\", \"C:\\Program Files\\Microsoft Games\\More Games\\ja-JP\\winlogon.exe\", \"C:\\Program Files\\Microsoft Games\\Mahjong\\fr-FR\\winlogon.exe\", \"C:\\Documents and Settings\\73d6911ed247a840f2f372a605a99407.exe\""	73d6911ed247a840f2f372a605a99407.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	1084	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	1084	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	1084	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	1084	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	1084	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	1084	schtasks.exe	29

UAC bypass 3 TTPs 3 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	73d6911ed247a840f2f372a605a99407.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	73d6911ed247a840f2f372a605a99407.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	73d6911ed247a840f2f372a605a99407.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2300	powershell.exe
3044	powershell.exe
2372	powershell.exe
2384	powershell.exe
2648	powershell.exe
2400	powershell.exe
2336	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	73d6911ed247a840f2f372a605a99407.exe

Executes dropped EXE 1 IoCs

pid	Process
2012	sppsvc.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\fveupdate\\explorer.exe\""	73d6911ed247a840f2f372a605a99407.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\vaultsvc\\sppsvc.exe\""	73d6911ed247a840f2f372a605a99407.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\vaultsvc\\sppsvc.exe\""	73d6911ed247a840f2f372a605a99407.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\rasmbmgr\\sppsvc.exe\""	73d6911ed247a840f2f372a605a99407.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Microsoft Games\\More Games\\ja-JP\\winlogon.exe\""	73d6911ed247a840f2f372a605a99407.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Microsoft Games\\More Games\\ja-JP\\winlogon.exe\""	73d6911ed247a840f2f372a605a99407.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Microsoft Games\\Mahjong\\fr-FR\\winlogon.exe\""	73d6911ed247a840f2f372a605a99407.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Microsoft Games\\Mahjong\\fr-FR\\winlogon.exe\""	73d6911ed247a840f2f372a605a99407.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\fveupdate\\explorer.exe\""	73d6911ed247a840f2f372a605a99407.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\rasmbmgr\\sppsvc.exe\""	73d6911ed247a840f2f372a605a99407.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\73d6911ed247a840f2f372a605a99407 = "\"C:\\Documents and Settings\\73d6911ed247a840f2f372a605a99407.exe\""	73d6911ed247a840f2f372a605a99407.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\73d6911ed247a840f2f372a605a99407 = "\"C:\\Documents and Settings\\73d6911ed247a840f2f372a605a99407.exe\""	73d6911ed247a840f2f372a605a99407.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	73d6911ed247a840f2f372a605a99407.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	73d6911ed247a840f2f372a605a99407.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\System32\rasmbmgr\sppsvc.exe	73d6911ed247a840f2f372a605a99407.exe
File created	C:\Windows\System32\rasmbmgr\0a1fd5f707cd16	73d6911ed247a840f2f372a605a99407.exe
File opened for modification	C:\Windows\System32\vaultsvc\RCX41F2.tmp	73d6911ed247a840f2f372a605a99407.exe
File opened for modification	C:\Windows\System32\vaultsvc\sppsvc.exe	73d6911ed247a840f2f372a605a99407.exe
File opened for modification	C:\Windows\System32\rasmbmgr\RCX4405.tmp	73d6911ed247a840f2f372a605a99407.exe
File opened for modification	C:\Windows\System32\rasmbmgr\sppsvc.exe	73d6911ed247a840f2f372a605a99407.exe
File created	C:\Windows\System32\vaultsvc\sppsvc.exe	73d6911ed247a840f2f372a605a99407.exe
File created	C:\Windows\System32\vaultsvc\0a1fd5f707cd16	73d6911ed247a840f2f372a605a99407.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Games\More Games\ja-JP\winlogon.exe	73d6911ed247a840f2f372a605a99407.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\fr-FR\RCX483C.tmp	73d6911ed247a840f2f372a605a99407.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\fr-FR\winlogon.exe	73d6911ed247a840f2f372a605a99407.exe
File created	C:\Program Files\Microsoft Games\More Games\ja-JP\winlogon.exe	73d6911ed247a840f2f372a605a99407.exe
File created	C:\Program Files\Microsoft Games\More Games\ja-JP\cc11b995f2a76d	73d6911ed247a840f2f372a605a99407.exe
File created	C:\Program Files\Microsoft Games\Mahjong\fr-FR\winlogon.exe	73d6911ed247a840f2f372a605a99407.exe
File created	C:\Program Files\Microsoft Games\Mahjong\fr-FR\cc11b995f2a76d	73d6911ed247a840f2f372a605a99407.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\ja-JP\RCX4628.tmp	73d6911ed247a840f2f372a605a99407.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\fveupdate\7a0fd90576e088	73d6911ed247a840f2f372a605a99407.exe
File created	C:\Windows\servicing\Packages\services.exe	73d6911ed247a840f2f372a605a99407.exe
File opened for modification	C:\Windows\fveupdate\RCX3FBF.tmp	73d6911ed247a840f2f372a605a99407.exe
File created	C:\Windows\fveupdate\explorer.exe	73d6911ed247a840f2f372a605a99407.exe
File opened for modification	C:\Windows\fveupdate\explorer.exe	73d6911ed247a840f2f372a605a99407.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2900	schtasks.exe
2744	schtasks.exe
2848	schtasks.exe
964	schtasks.exe
2284	schtasks.exe
2388	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2012	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2384	powershell.exe
2372	powershell.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2400	powershell.exe
2300	powershell.exe
3044	powershell.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2336	powershell.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2648	powershell.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe
2268	73d6911ed247a840f2f372a605a99407.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2268	73d6911ed247a840f2f372a605a99407.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	2012	sppsvc.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2336	2268	73d6911ed247a840f2f372a605a99407.exe	36
PID 2268 wrote to memory of 2336	2268	73d6911ed247a840f2f372a605a99407.exe	36
PID 2268 wrote to memory of 2336	2268	73d6911ed247a840f2f372a605a99407.exe	36
PID 2268 wrote to memory of 2300	2268	73d6911ed247a840f2f372a605a99407.exe	37
PID 2268 wrote to memory of 2300	2268	73d6911ed247a840f2f372a605a99407.exe	37
PID 2268 wrote to memory of 2300	2268	73d6911ed247a840f2f372a605a99407.exe	37
PID 2268 wrote to memory of 3044	2268	73d6911ed247a840f2f372a605a99407.exe	38
PID 2268 wrote to memory of 3044	2268	73d6911ed247a840f2f372a605a99407.exe	38
PID 2268 wrote to memory of 3044	2268	73d6911ed247a840f2f372a605a99407.exe	38
PID 2268 wrote to memory of 2372	2268	73d6911ed247a840f2f372a605a99407.exe	40
PID 2268 wrote to memory of 2372	2268	73d6911ed247a840f2f372a605a99407.exe	40
PID 2268 wrote to memory of 2372	2268	73d6911ed247a840f2f372a605a99407.exe	40
PID 2268 wrote to memory of 2400	2268	73d6911ed247a840f2f372a605a99407.exe	41
PID 2268 wrote to memory of 2400	2268	73d6911ed247a840f2f372a605a99407.exe	41
PID 2268 wrote to memory of 2400	2268	73d6911ed247a840f2f372a605a99407.exe	41
PID 2268 wrote to memory of 2648	2268	73d6911ed247a840f2f372a605a99407.exe	42
PID 2268 wrote to memory of 2648	2268	73d6911ed247a840f2f372a605a99407.exe	42
PID 2268 wrote to memory of 2648	2268	73d6911ed247a840f2f372a605a99407.exe	42
PID 2268 wrote to memory of 2384	2268	73d6911ed247a840f2f372a605a99407.exe	43
PID 2268 wrote to memory of 2384	2268	73d6911ed247a840f2f372a605a99407.exe	43
PID 2268 wrote to memory of 2384	2268	73d6911ed247a840f2f372a605a99407.exe	43
PID 2268 wrote to memory of 2204	2268	73d6911ed247a840f2f372a605a99407.exe	50
PID 2268 wrote to memory of 2204	2268	73d6911ed247a840f2f372a605a99407.exe	50
PID 2268 wrote to memory of 2204	2268	73d6911ed247a840f2f372a605a99407.exe	50
PID 2204 wrote to memory of 2404	2204	cmd.exe	52
PID 2204 wrote to memory of 2404	2204	cmd.exe	52
PID 2204 wrote to memory of 2404	2204	cmd.exe	52
PID 2204 wrote to memory of 2012	2204	cmd.exe	53
PID 2204 wrote to memory of 2012	2204	cmd.exe	53
PID 2204 wrote to memory of 2012	2204	cmd.exe	53
PID 2204 wrote to memory of 2012	2204	cmd.exe	53
PID 2204 wrote to memory of 2012	2204	cmd.exe	53

System policy modification 1 TTPs 3 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	73d6911ed247a840f2f372a605a99407.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	73d6911ed247a840f2f372a605a99407.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	73d6911ed247a840f2f372a605a99407.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\73d6911ed247a840f2f372a605a99407.exe
"C:\Users\Admin\AppData\Local\Temp\73d6911ed247a840f2f372a605a99407.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\73d6911ed247a840f2f372a605a99407.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fveupdate\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\vaultsvc\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\rasmbmgr\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\More Games\ja-JP\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Mahjong\fr-FR\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\73d6911ed247a840f2f372a605a99407.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2384
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FMXFTWEmFF.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2404
- - C:\Windows\System32\rasmbmgr\sppsvc.exe
    "C:\Windows\System32\rasmbmgr\sppsvc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\fveupdate\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\vaultsvc\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\rasmbmgr\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\More Games\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Mahjong\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "73d6911ed247a840f2f372a605a99407" /sc ONLOGON /tr "'C:\Documents and Settings\73d6911ed247a840f2f372a605a99407.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Games\Mahjong\fr-FR\winlogon.exe

Filesize
1.1MB

MD5
73d6911ed247a840f2f372a605a99407

SHA1
595953dd65ceb6ce48af99d0e4533ac711681733

SHA256
e1dacd883b37c7e481b4fc643b5628e061155f7c4f37874907ac2c8a5e66d7c0

SHA512
ba7b325ca5ff67273ebe485904d7981f8d70b3b2e9647c2f702bb0e6f3058faf35d4fab1351deaadf8fb126517595766d7039ee56b97c21fff36a43026696544

Download Submit
C:\Users\Admin\AppData\Local\Temp\FMXFTWEmFF.bat

Filesize
203B

MD5
f6492a683c47f4ca449f2e5d111c1777

SHA1
b38dc10ed8160d5d3e4b682560462acc0758e663

SHA256
64c9f92c7aa70c7c41915ba5ba206c58fa84795b7ae6120125d753d3d8305c33

SHA512
ad0d536b2ddfadc3a7e1e904de4005a733878c823679880d8e66f8b7d7c7749319507a896f547c4755c7d40849db4812f74bb4071c55e6325434192b33156f25

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GTHHLU9XZ5KW1UK8ZKOV.temp

Filesize
7KB

MD5
6d4da4bfae2eb2a157c9962d7d4430c4

SHA1
dff62f629dbc5c5011244f1dcbad36f8dd3d7cbd

SHA256
b665731e5a3dea97ad6280f83476bc26e58d8bd4e6a22d7204931562595b9ce0

SHA512
112fdc0309094f15444717e9cb38cadfc2c78c52ef1323bcb6e0fb01c47c1f6536c0904ceedbb8a580ef84e894301356c72e9701a31c5cde12ae84ea21984475

Download Submit
memory/2012-134-0x0000000000130000-0x0000000000244000-memory.dmp

Filesize
1.1MB

Download
memory/2268-25-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

Filesize
9.9MB

Download
memory/2268-18-0x00000000007D0000-0x00000000007D8000-memory.dmp

Filesize
32KB

Download
memory/2268-7-0x0000000000610000-0x000000000061C000-memory.dmp

Filesize
48KB

Download
memory/2268-10-0x0000000000640000-0x0000000000650000-memory.dmp

Filesize
64KB

Download
memory/2268-9-0x0000000000630000-0x000000000063C000-memory.dmp

Filesize
48KB

Download
memory/2268-8-0x0000000000620000-0x0000000000628000-memory.dmp

Filesize
32KB

Download
memory/2268-6-0x0000000000570000-0x000000000057A000-memory.dmp

Filesize
40KB

Download
memory/2268-11-0x0000000000650000-0x0000000000660000-memory.dmp

Filesize
64KB

Download
memory/2268-12-0x0000000000660000-0x0000000000668000-memory.dmp

Filesize
32KB

Download
memory/2268-13-0x0000000000670000-0x000000000067A000-memory.dmp

Filesize
40KB

Download
memory/2268-14-0x0000000000680000-0x000000000068C000-memory.dmp

Filesize
48KB

Download
memory/2268-15-0x0000000000690000-0x000000000069A000-memory.dmp

Filesize
40KB

Download
memory/2268-16-0x00000000007B0000-0x00000000007B8000-memory.dmp

Filesize
32KB

Download
memory/2268-17-0x00000000007C0000-0x00000000007CC000-memory.dmp

Filesize
48KB

Download
memory/2268-26-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

Filesize
9.9MB

Download
memory/2268-20-0x00000000007E0000-0x00000000007EC000-memory.dmp

Filesize
48KB

Download
memory/2268-21-0x0000000000800000-0x0000000000808000-memory.dmp

Filesize
32KB

Download
memory/2268-24-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

Filesize
9.9MB

Download
memory/2268-5-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/2268-0-0x000007FEF66E3000-0x000007FEF66E4000-memory.dmp

Filesize
4KB

Download
memory/2268-51-0x000007FEF66E3000-0x000007FEF66E4000-memory.dmp

Filesize
4KB

Download
memory/2268-32-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

Filesize
9.9MB

Download
memory/2268-33-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

Filesize
9.9MB

Download
memory/2268-4-0x0000000000560000-0x0000000000572000-memory.dmp

Filesize
72KB

Download
memory/2268-41-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

Filesize
9.9MB

Download
memory/2268-31-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

Filesize
9.9MB

Download
memory/2268-73-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

Filesize
9.9MB

Download
memory/2268-3-0x0000000000550000-0x0000000000558000-memory.dmp

Filesize
32KB

Download
memory/2268-2-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

Filesize
9.9MB

Download
memory/2268-137-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

Filesize
9.9MB

Download
memory/2268-136-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

Filesize
9.9MB

Download
memory/2268-120-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

Filesize
9.9MB

Download
memory/2268-128-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

Filesize
9.9MB

Download
memory/2268-129-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

Filesize
9.9MB

Download
memory/2268-130-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

Filesize
9.9MB

Download
memory/2268-131-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

Filesize
9.9MB

Download
memory/2268-1-0x00000000003C0000-0x00000000004D4000-memory.dmp

Filesize
1.1MB

Download
memory/2268-135-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

Filesize
9.9MB

Download
memory/2384-104-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/2384-103-0x000000001B430000-0x000000001B712000-memory.dmp

Filesize
2.9MB

Download