dcrat | ec9c5587e94251e463f46b6cd977450967667d48c6f6a24e684dbea883948506

Analysis

max time kernel
102s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2023, 13:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
Size

2.6MB
MD5

2a6ed6aa7f8eb8a08e20fd4d5fca949a
SHA1

225821628d9f2832c6d920aa89ed233986c46c04
SHA256

80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616
SHA512

ff83c4db8954d24944db40e2e54d830b2cf4b1658cf680b4a60f90d90e15eb3d246c7638e8f72a5132dab71cf4b65270ab469ea740917e9b604997ee7785cb52
SSDEEP

49152:ZtiI2nk/ulngIWVTqEKWcZpaqkOijSHYPBlxyX4lDmPWA0a6qTiy:ZtiI2n6bTqEKWcZpvkljbPBmogWW6qu

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	384	1804	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	1804	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	1804	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	1804	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	1804	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	1804	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	1804	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	1804	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	1804	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	1804	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	1804	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4204	1804	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	1804	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	1804	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	1804	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	1804	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	1804	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	1804	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	1804	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	1804	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3212	1804	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	1804	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3628	1804	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	1804	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	1804	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3180	1804	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	1804	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	1804	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3400	1804	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	1804	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	1804	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	1804	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	1804	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	1804	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	1804	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	1804	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	1804	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	1804	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	1804	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	1804	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3704	1804	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	1804	schtasks.exe	32

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4164-133-0x0000000000880000-0x0000000000B14000-memory.dmp	dcrat
behavioral2/files/0x0007000000023143-152.dat	dcrat
behavioral2/files/0x000700000002316c-197.dat	dcrat
behavioral2/files/0x0007000000023184-314.dat	dcrat
behavioral2/files/0x0007000000023138-405.dat	dcrat
behavioral2/files/0x0007000000023138-406.dat	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe

Executes dropped EXE 1 IoCs

pid	Process
2924	csrss.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	ip-api.com

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Security\sppsvc.exe	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\upfc.exe	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
File opened for modification	C:\Program Files\Windows Security\RCXCC56.tmp	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Idle.exe	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\ea1d8f6d871115	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
File opened for modification	C:\Program Files\Windows Security\RCXCC46.tmp	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCXCEA9.tmp	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\upfc.exe	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\RCXD79A.tmp	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\RCXD7BB.tmp	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
File opened for modification	C:\Program Files\Windows Mail\RCXE2C0.tmp	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
File opened for modification	C:\Program Files\Windows Mail\lsass.exe	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
File created	C:\Program Files (x86)\Windows Media Player\Idle.exe	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
File created	C:\Program Files\Windows Mail\lsass.exe	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
File opened for modification	C:\Program Files\Windows Security\sppsvc.exe	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCXCEBA.tmp	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
File created	C:\Program Files\Windows Security\0a1fd5f707cd16	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
File created	C:\Program Files (x86)\Windows Media Player\6ccacd8608530f	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
File created	C:\Program Files\Windows Mail\6203df4a6bafc7	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
File opened for modification	C:\Program Files\Windows Mail\RCXE2E0.tmp	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Performance\SearchApp.exe	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
File opened for modification	C:\Windows\L2Schemas\sihost.exe	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
File created	C:\Windows\InputMethod\CHT\dllhost.exe	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
File created	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
File created	C:\Windows\GameBarPresenceWriter\24dbde2999530e	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
File created	C:\Windows\Web\Screen\24dbde2999530e	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
File opened for modification	C:\Windows\InputMethod\CHT\RCXD0EE.tmp	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
File opened for modification	C:\Windows\InputMethod\CHT\dllhost.exe	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
File opened for modification	C:\Windows\Web\Screen\WmiPrvSE.exe	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
File opened for modification	C:\Windows\Web\Screen\RCXDE57.tmp	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
File created	C:\Windows\L2Schemas\sihost.exe	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
File created	C:\Windows\L2Schemas\66fc9ff0ee96c2	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
File created	C:\Windows\Performance\SearchApp.exe	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
File opened for modification	C:\Windows\L2Schemas\RCXC50D.tmp	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
File opened for modification	C:\Windows\InputMethod\CHT\RCXD0DE.tmp	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
File opened for modification	C:\Windows\Performance\RCXD312.tmp	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
File opened for modification	C:\Windows\GameBarPresenceWriter\RCXD9DF.tmp	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
File opened for modification	C:\Windows\Web\Screen\RCXDE77.tmp	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
File created	C:\Windows\Performance\38384e6a620884	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
File created	C:\Windows\Web\Screen\WmiPrvSE.exe	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
File opened for modification	C:\Windows\L2Schemas\RCXC4ED.tmp	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
File opened for modification	C:\Windows\Performance\RCXD323.tmp	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
File opened for modification	C:\Windows\GameBarPresenceWriter\RCXD9FF.tmp	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
File opened for modification	C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
File created	C:\Windows\InputMethod\CHT\5940a34987c991	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1444	schtasks.exe
3540	schtasks.exe
4716	schtasks.exe
4568	schtasks.exe
2232	schtasks.exe
3180	schtasks.exe
3400	schtasks.exe
4308	schtasks.exe
964	schtasks.exe
2260	schtasks.exe
2332	schtasks.exe
4560	schtasks.exe
3212	schtasks.exe
1800	schtasks.exe
5004	schtasks.exe
1020	schtasks.exe
2192	schtasks.exe
400	schtasks.exe
1036	schtasks.exe
1640	schtasks.exe
224	schtasks.exe
928	schtasks.exe
2360	schtasks.exe
5012	schtasks.exe
2808	schtasks.exe
4204	schtasks.exe
4784	schtasks.exe
5044	schtasks.exe
3704	schtasks.exe
4508	schtasks.exe
2724	schtasks.exe
2552	schtasks.exe
1816	schtasks.exe
1088	schtasks.exe
4120	schtasks.exe
3068	schtasks.exe
384	schtasks.exe
4768	schtasks.exe
1944	schtasks.exe
3628	schtasks.exe
2772	schtasks.exe
2272	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
2924	csrss.exe
2924	csrss.exe
2924	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
Token: SeDebugPrivilege	2924	csrss.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4164 wrote to memory of 2924	4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe	130
PID 4164 wrote to memory of 2924	4164	80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe	130

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe
"C:\Users\Admin\AppData\Local\Temp\80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Recovery\WindowsRE\csrss.exe
  "C:\Recovery\WindowsRE\csrss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Windows\L2Schemas\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\L2Schemas\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Windows\L2Schemas\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\odt\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Security\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\InputMethod\CHT\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\InputMethod\CHT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\InputMethod\CHT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Windows\Performance\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Performance\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Windows\Performance\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\odt\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\odt\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\odt\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\GameBarPresenceWriter\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\Web\Screen\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Web\Screen\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\Web\Screen\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Media Player\Idle.exe

Filesize
2.6MB

MD5
2a6ed6aa7f8eb8a08e20fd4d5fca949a

SHA1
225821628d9f2832c6d920aa89ed233986c46c04

SHA256
80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616

SHA512
ff83c4db8954d24944db40e2e54d830b2cf4b1658cf680b4a60f90d90e15eb3d246c7638e8f72a5132dab71cf4b65270ab469ea740917e9b604997ee7785cb52

Download Submit
C:\Recovery\WindowsRE\RCXC742.tmp

Filesize
2.6MB

MD5
d5ec7f09948fc4c8bf1b6a9d14f55a90

SHA1
f48fe437397fbcca9b7d34d94cfd5753ed4d3ceb

SHA256
33345217ae3c1b6f9d35fbfa80d2684b619ec6864c72ab82201d07760ce43e6f

SHA512
eb3a5de484fbf24ed6b2e72462776d8283f9523f3a3b868950e23647e9b712a6eb46a5ecb13e3d2d9f62828482a006971f7c942f2426346392d52a710729202f

Download Submit
C:\Recovery\WindowsRE\csrss.exe

Filesize
2.6MB

MD5
2a6ed6aa7f8eb8a08e20fd4d5fca949a

SHA1
225821628d9f2832c6d920aa89ed233986c46c04

SHA256
80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616

SHA512
ff83c4db8954d24944db40e2e54d830b2cf4b1658cf680b4a60f90d90e15eb3d246c7638e8f72a5132dab71cf4b65270ab469ea740917e9b604997ee7785cb52

Download Submit
C:\Recovery\WindowsRE\csrss.exe

Filesize
2.6MB

MD5
2a6ed6aa7f8eb8a08e20fd4d5fca949a

SHA1
225821628d9f2832c6d920aa89ed233986c46c04

SHA256
80225cd0f5c3c59630d8d42320aeae18ad85006b640537dcc3d076f8ec96f616

SHA512
ff83c4db8954d24944db40e2e54d830b2cf4b1658cf680b4a60f90d90e15eb3d246c7638e8f72a5132dab71cf4b65270ab469ea740917e9b604997ee7785cb52

Download Submit
C:\Windows\Web\Screen\RCXDE57.tmp

Filesize
2.6MB

MD5
c28631de3efad8a4229234b0d65f1d76

SHA1
197c66ce9a2740792c0dd1f04c332d79f4d91f24

SHA256
3d633ccfd6c3ae4de48a7da8055826617c1874a4077e63384bb933f683762504

SHA512
246d51247c0312923dad43e9b6d48bbf1623ebddc4a2b925bef030c07cd7453cee7906d7c231ae974b04e4b00e3eb41467f870bf8f71fd24bf9956b318847a86

Download Submit
memory/4164-137-0x000000001B780000-0x000000001B790000-memory.dmp

Filesize
64KB

Download
memory/4164-133-0x0000000000880000-0x0000000000B14000-memory.dmp

Filesize
2.6MB

Download
memory/4164-140-0x000000001B780000-0x000000001B790000-memory.dmp

Filesize
64KB

Download
memory/4164-141-0x000000001B780000-0x000000001B790000-memory.dmp

Filesize
64KB

Download
memory/4164-142-0x000000001B780000-0x000000001B790000-memory.dmp

Filesize
64KB

Download
memory/4164-145-0x000000001B780000-0x000000001B790000-memory.dmp

Filesize
64KB

Download
memory/4164-138-0x000000001B780000-0x000000001B790000-memory.dmp

Filesize
64KB

Download
memory/4164-139-0x000000001B780000-0x000000001B790000-memory.dmp

Filesize
64KB

Download
memory/4164-285-0x000000001D910000-0x000000001DA10000-memory.dmp

Filesize
1024KB

Download
memory/4164-298-0x000000001D910000-0x000000001DA10000-memory.dmp

Filesize
1024KB

Download
memory/4164-136-0x000000001B780000-0x000000001B790000-memory.dmp

Filesize
64KB

Download
memory/4164-347-0x000000001B780000-0x000000001B790000-memory.dmp

Filesize
64KB

Download
memory/4164-135-0x000000001B720000-0x000000001B770000-memory.dmp

Filesize
320KB

Download
memory/4164-134-0x000000001B780000-0x000000001B790000-memory.dmp

Filesize
64KB

Download