dcrat | a6b84afa6a28c6032c427152885270d3849a6a4134e442cac42e3f78becefc84

General

Target

9sUsHji0MKVo7U2RZ9gX14M.exe
Size

1.1MB
MD5

199ccc5abc45dd2c45831f1de72bb58a
SHA1

d832e8a52a971432fc575088e37831faec7008f2
SHA256

a6b84afa6a28c6032c427152885270d3849a6a4134e442cac42e3f78becefc84
SHA512

9f5b808d0d7a2cc09f5455f0090abb763d47d53dea18be3f5e2d44bb2eead80e6934491f13f7def2e17e1e3b89b2103fc122c337adf7243d5b9876e001bf67fc
SSDEEP

12288:t6NE5eSwJu37+GXJpkaI7ShG54v4ahgVY3whNG8/LI6i4ejmtnbAouuFteLBdBN9:t6NReJXJIwvJgVQSoPEzKkLXa

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 10 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

9sUsHji0MKVo7U2RZ9gX14M.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\WmiPrvSE.exe\""	9sUsHji0MKVo7U2RZ9gX14M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\WmiPrvSE.exe\", \"C:\\Recovery\\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\\WmiPrvSE.exe\""	9sUsHji0MKVo7U2RZ9gX14M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\WmiPrvSE.exe\", \"C:\\Recovery\\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\""	9sUsHji0MKVo7U2RZ9gX14M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\WmiPrvSE.exe\", \"C:\\Recovery\\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\", \"C:\\Recovery\\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\\WmiPrvSE.exe\""	9sUsHji0MKVo7U2RZ9gX14M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\WmiPrvSE.exe\", \"C:\\Recovery\\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\", \"C:\\Recovery\\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\\WmiPrvSE.exe\", \"C:\\Recovery\\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\\smss.exe\""	9sUsHji0MKVo7U2RZ9gX14M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\WmiPrvSE.exe\", \"C:\\Recovery\\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\", \"C:\\Recovery\\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\\WmiPrvSE.exe\", \"C:\\Recovery\\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\\smss.exe\", \"C:\\Recovery\\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\\csrss.exe\", \"C:\\Recovery\\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\\9sUsHji0MKVo7U2RZ9gX14M.exe\", \"C:\\MSOCache\\All Users\\WmiPrvSE.exe\", \"C:\\Program Files\\Mozilla Firefox\\spoolsv.exe\""	9sUsHji0MKVo7U2RZ9gX14M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\WmiPrvSE.exe\", \"C:\\Recovery\\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\", \"C:\\Recovery\\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\\WmiPrvSE.exe\", \"C:\\Recovery\\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\\smss.exe\", \"C:\\Recovery\\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\\csrss.exe\", \"C:\\Recovery\\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\\9sUsHji0MKVo7U2RZ9gX14M.exe\", \"C:\\MSOCache\\All Users\\WmiPrvSE.exe\", \"C:\\Program Files\\Mozilla Firefox\\spoolsv.exe\", \"C:\\Windows\\it-IT\\csrss.exe\""	9sUsHji0MKVo7U2RZ9gX14M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\WmiPrvSE.exe\", \"C:\\Recovery\\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\", \"C:\\Recovery\\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\\WmiPrvSE.exe\", \"C:\\Recovery\\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\\smss.exe\", \"C:\\Recovery\\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\\csrss.exe\""	9sUsHji0MKVo7U2RZ9gX14M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\WmiPrvSE.exe\", \"C:\\Recovery\\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\", \"C:\\Recovery\\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\\WmiPrvSE.exe\", \"C:\\Recovery\\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\\smss.exe\", \"C:\\Recovery\\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\\csrss.exe\", \"C:\\Recovery\\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\\9sUsHji0MKVo7U2RZ9gX14M.exe\""	9sUsHji0MKVo7U2RZ9gX14M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\WmiPrvSE.exe\", \"C:\\Recovery\\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\", \"C:\\Recovery\\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\\WmiPrvSE.exe\", \"C:\\Recovery\\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\\smss.exe\", \"C:\\Recovery\\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\\csrss.exe\", \"C:\\Recovery\\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\\9sUsHji0MKVo7U2RZ9gX14M.exe\", \"C:\\MSOCache\\All Users\\WmiPrvSE.exe\""	9sUsHji0MKVo7U2RZ9gX14M.exe

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	472	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	1252	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2004-54-0x0000000000A90000-0x0000000000BBC000-memory.dmp	dcrat
C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\csrss.exe	dcrat
C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\csrss.exe	dcrat
behavioral1/memory/1948-71-0x0000000001100000-0x000000000122C000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

1948 csrss.exe

pid	process
1948	csrss.exe

Adds Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9sUsHji0MKVo7U2RZ9gX14M.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\WmiPrvSE.exe\""	9sUsHji0MKVo7U2RZ9gX14M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\\WmiPrvSE.exe\""	9sUsHji0MKVo7U2RZ9gX14M.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\""	9sUsHji0MKVo7U2RZ9gX14M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\WmiPrvSE.exe\""	9sUsHji0MKVo7U2RZ9gX14M.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Mozilla Firefox\\spoolsv.exe\""	9sUsHji0MKVo7U2RZ9gX14M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\it-IT\\csrss.exe\""	9sUsHji0MKVo7U2RZ9gX14M.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\WmiPrvSE.exe\""	9sUsHji0MKVo7U2RZ9gX14M.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\9sUsHji0MKVo7U2RZ9gX14M = "\"C:\\Recovery\\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\\9sUsHji0MKVo7U2RZ9gX14M.exe\""	9sUsHji0MKVo7U2RZ9gX14M.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\\WmiPrvSE.exe\""	9sUsHji0MKVo7U2RZ9gX14M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\""	9sUsHji0MKVo7U2RZ9gX14M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\\smss.exe\""	9sUsHji0MKVo7U2RZ9gX14M.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\\csrss.exe\""	9sUsHji0MKVo7U2RZ9gX14M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9sUsHji0MKVo7U2RZ9gX14M = "\"C:\\Recovery\\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\\9sUsHji0MKVo7U2RZ9gX14M.exe\""	9sUsHji0MKVo7U2RZ9gX14M.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\WmiPrvSE.exe\""	9sUsHji0MKVo7U2RZ9gX14M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Mozilla Firefox\\spoolsv.exe\""	9sUsHji0MKVo7U2RZ9gX14M.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\it-IT\\csrss.exe\""	9sUsHji0MKVo7U2RZ9gX14M.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\\smss.exe\""	9sUsHji0MKVo7U2RZ9gX14M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\\csrss.exe\""	9sUsHji0MKVo7U2RZ9gX14M.exe

Drops file in Program Files directory 12 IoCs

Processes:

9sUsHji0MKVo7U2RZ9gX14M.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\WmiPrvSE.exe	9sUsHji0MKVo7U2RZ9gX14M.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\24dbde2999530e	9sUsHji0MKVo7U2RZ9gX14M.exe
File created	C:\Program Files\Mozilla Firefox\spoolsv.exe	9sUsHji0MKVo7U2RZ9gX14M.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCXA01.tmp	9sUsHji0MKVo7U2RZ9gX14M.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX17E8.tmp	9sUsHji0MKVo7U2RZ9gX14M.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\WmiPrvSE.exe	9sUsHji0MKVo7U2RZ9gX14M.exe
File created	C:\Program Files\Windows Portable Devices\WmiPrvSE.exe	9sUsHji0MKVo7U2RZ9gX14M.exe
File created	C:\Program Files\Windows Portable Devices\24dbde2999530e	9sUsHji0MKVo7U2RZ9gX14M.exe
File created	C:\Program Files\Mozilla Firefox\f3b6ecef712a24	9sUsHji0MKVo7U2RZ9gX14M.exe
File opened for modification	C:\Program Files\Windows Portable Devices\WmiPrvSE.exe	9sUsHji0MKVo7U2RZ9gX14M.exe
File opened for modification	C:\Program Files\Mozilla Firefox\RCX3EFD.tmp	9sUsHji0MKVo7U2RZ9gX14M.exe
File opened for modification	C:\Program Files\Mozilla Firefox\spoolsv.exe	9sUsHji0MKVo7U2RZ9gX14M.exe

Drops file in Windows directory 4 IoCs

Processes:

9sUsHji0MKVo7U2RZ9gX14M.exe

description	ioc	process
File opened for modification	C:\Windows\it-IT\csrss.exe	9sUsHji0MKVo7U2RZ9gX14M.exe
File created	C:\Windows\it-IT\csrss.exe	9sUsHji0MKVo7U2RZ9gX14M.exe
File created	C:\Windows\it-IT\886983d96e3d3e	9sUsHji0MKVo7U2RZ9gX14M.exe
File opened for modification	C:\Windows\it-IT\RCX45F0.tmp	9sUsHji0MKVo7U2RZ9gX14M.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1212	schtasks.exe
1384	schtasks.exe
472	schtasks.exe
1868	schtasks.exe
548	schtasks.exe
1988	schtasks.exe
1008	schtasks.exe
1700	schtasks.exe
1304	schtasks.exe
1540	schtasks.exe
1452	schtasks.exe
936	schtasks.exe
1748	schtasks.exe
1816	schtasks.exe
844	schtasks.exe
1776	schtasks.exe
1300	schtasks.exe
1620	schtasks.exe
1104	schtasks.exe
1636	schtasks.exe
1588	schtasks.exe
1056	schtasks.exe
1624	schtasks.exe
1688	schtasks.exe
1068	schtasks.exe
1040	schtasks.exe
316	schtasks.exe
848	schtasks.exe
784	schtasks.exe
1720	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

9sUsHji0MKVo7U2RZ9gX14M.execsrss.exe

pid process

2004 9sUsHji0MKVo7U2RZ9gX14M.exe
1948 csrss.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

9sUsHji0MKVo7U2RZ9gX14M.execsrss.exe

description pid process

Token: SeDebugPrivilege 2004 9sUsHji0MKVo7U2RZ9gX14M.exe
Token: SeDebugPrivilege 1948 csrss.exe

pid	process
2004	9sUsHji0MKVo7U2RZ9gX14M.exe
1948	csrss.exe

description	pid	process
Token: SeDebugPrivilege	2004	9sUsHji0MKVo7U2RZ9gX14M.exe
Token: SeDebugPrivilege	1948	csrss.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

9sUsHji0MKVo7U2RZ9gX14M.execmd.exe

description	pid	process	target process
PID 2004 wrote to memory of 1596	2004	9sUsHji0MKVo7U2RZ9gX14M.exe	cmd.exe
PID 2004 wrote to memory of 1596	2004	9sUsHji0MKVo7U2RZ9gX14M.exe	cmd.exe
PID 2004 wrote to memory of 1596	2004	9sUsHji0MKVo7U2RZ9gX14M.exe	cmd.exe
PID 1596 wrote to memory of 1528	1596	cmd.exe	w32tm.exe
PID 1596 wrote to memory of 1528	1596	cmd.exe	w32tm.exe
PID 1596 wrote to memory of 1528	1596	cmd.exe	w32tm.exe
PID 1596 wrote to memory of 1948	1596	cmd.exe	csrss.exe
PID 1596 wrote to memory of 1948	1596	cmd.exe	csrss.exe
PID 1596 wrote to memory of 1948	1596	cmd.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\9sUsHji0MKVo7U2RZ9gX14M.exe
"C:\Users\Admin\AppData\Local\Temp\9sUsHji0MKVo7U2RZ9gX14M.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TtB34HArmy.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:1528

C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\csrss.exe
"C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\csrss.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9sUsHji0MKVo7U2RZ9gX14M9" /sc MINUTE /mo 6 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\9sUsHji0MKVo7U2RZ9gX14M.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9sUsHji0MKVo7U2RZ9gX14M" /sc ONLOGON /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\9sUsHji0MKVo7U2RZ9gX14M.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9sUsHji0MKVo7U2RZ9gX14M9" /sc MINUTE /mo 8 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\9sUsHji0MKVo7U2RZ9gX14M.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\it-IT\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1620

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\csrss.exe
Filesize
1.1MB

MD5
ccb33d17bd4ab149f81aca35783b19b3

SHA1
98a6789cdcaa19c665b47f6deffd4d4ac155c7cf

SHA256
0cc45f151726083d4e3ab19719125cd454c0d1273460bb8f1009ebcba7edd28f

SHA512
6e1d1f46775d72c855d00abad259cd037ae7b1cad031214d15907d3db8b68118520378b0113c872c911d32cb5ab232dea28ffd9f82f9a1ae7a1e8222eee59a0b

Download Submit
C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\csrss.exe
Filesize
1.1MB

MD5
ccb33d17bd4ab149f81aca35783b19b3

SHA1
98a6789cdcaa19c665b47f6deffd4d4ac155c7cf

SHA256
0cc45f151726083d4e3ab19719125cd454c0d1273460bb8f1009ebcba7edd28f

SHA512
6e1d1f46775d72c855d00abad259cd037ae7b1cad031214d15907d3db8b68118520378b0113c872c911d32cb5ab232dea28ffd9f82f9a1ae7a1e8222eee59a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TtB34HArmy.bat
Filesize
223B

MD5
9e229bc9b91b3e8c78bc20255a10d1a4

SHA1
f842836a5f60386e84547af9bc7cde74c9cc0a9f

SHA256
6a857d116d0cbe0a23391b80aa130fe5fd455861fe534f000fc3ffc2b4c826c5

SHA512
cd50046554c78fba853f5e75d85a19142c06459e116895d740f69fc755a2e12f77ab6d8af3eb7d2771b7c040b5f5d3e1afda4f398694cdba6d40871b3f823bc9

Download Submit
memory/1528-67-0x0000000000000000-mapping.dmp

Download
memory/1596-65-0x0000000000000000-mapping.dmp

Download
memory/1948-72-0x00000000005C0000-0x00000000005D2000-memory.dmp

Filesize
72KB

Download
memory/1948-71-0x0000000001100000-0x000000000122C000-memory.dmp

Filesize
1.2MB

Download
memory/1948-69-0x0000000000000000-mapping.dmp

Download
memory/2004-58-0x0000000000A60000-0x0000000000A72000-memory.dmp

Filesize
72KB

Download
memory/2004-63-0x0000000002260000-0x000000000226E000-memory.dmp

Filesize
56KB

Download
memory/2004-64-0x0000000002270000-0x000000000227C000-memory.dmp

Filesize
48KB

Download
memory/2004-62-0x00000000020F0000-0x00000000020F8000-memory.dmp

Filesize
32KB

Download
memory/2004-61-0x0000000000A80000-0x0000000000A92000-memory.dmp

Filesize
72KB

Download
memory/2004-60-0x0000000000A70000-0x0000000000A7C000-memory.dmp

Filesize
48KB

Download
memory/2004-59-0x00000000020C0000-0x00000000020D0000-memory.dmp

Filesize
64KB

Download
memory/2004-54-0x0000000000A90000-0x0000000000BBC000-memory.dmp

Filesize
1.2MB

Download
memory/2004-57-0x0000000000A40000-0x0000000000A56000-memory.dmp

Filesize
88KB

Download
memory/2004-56-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2004-55-0x00000000003D0000-0x00000000003EC000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads