dcrat | 3c1ddef41b60a5b4f1e9891232eac7e8d3727d94562b45ecab70ff6e0513f1b6

General

Target

3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
Size

2.4MB
MD5

0e444044fdfea512ca18fc3396abb65b
SHA1

8b601ccad5b2a76967c0ca7579dc13d092307f34
SHA256

3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755
SHA512

7b58b88c7fbcd7b97d1a08f2145794beefa2960382140bac74f1f4fe630cdd0314cd9bceb599a32c56788df1e0e9dccf84c1598c52f9c581389327428696e119
SSDEEP

49152:bkcwlRFUh2b69Cs9MR3uh+tytRY1aLXYqIiiJd2EHt:bkdlRI3ceI1azYqWj

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4028	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	480	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	428	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	116	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	100	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4184	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3992	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3864	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3084	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3364	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3788	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3336	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3512	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4592	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3108	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3368	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4312	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4200	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4192	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	4004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	4004	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

csrss.exe3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/2000-133-0x0000000000AC0000-0x0000000000D38000-memory.dmp	dcrat
C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\taskhostw.exe	dcrat
C:\Windows\L2Schemas\csrss.exe	dcrat
C:\Windows\L2Schemas\csrss.exe	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe

Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

1896 csrss.exe

pid	process
1896	csrss.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.execsrss.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Drops file in Program Files directory 10 IoCs

Processes:

3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe

description	ioc	process
File created	C:\Program Files (x86)\Google\CrashReports\27d1bcfc3c54e0	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\taskhostw.exe	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
File created	C:\Program Files (x86)\Google\Update\Download\RuntimeBroker.exe	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
File created	C:\Program Files (x86)\Google\Update\Download\9e8d7a4ca61bd9	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
File created	C:\Program Files (x86)\Google\CrashReports\System.exe	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
File created	C:\Program Files\Google\Chrome\System.exe	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
File created	C:\Program Files\Google\Chrome\27d1bcfc3c54e0	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\ea9f0e6c9e2dcd	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\upfc.exe	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\ea1d8f6d871115	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe

Drops file in Windows directory 8 IoCs

Processes:

3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe

description	ioc	process
File created	C:\Windows\L2Schemas\csrss.exe	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
File created	C:\Windows\L2Schemas\886983d96e3d3e	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
File created	C:\Windows\SystemResources\Windows.UI.Search\Images\winlogon.exe	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
File created	C:\Windows\SystemResources\Windows.UI.Search\Images\cc11b995f2a76d	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
File created	C:\Windows\Web\Wallpaper\Theme1\StartMenuExperienceHost.exe	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
File created	C:\Windows\Web\Wallpaper\Theme1\55b276f4edf653	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
File created	C:\Windows\PLA\backgroundTaskHost.exe	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
File created	C:\Windows\PLA\eddb19405b7ce1	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3864	schtasks.exe
2628	schtasks.exe
3364	schtasks.exe
1640	schtasks.exe
1884	schtasks.exe
4548	schtasks.exe
1048	schtasks.exe
4184	schtasks.exe
2780	schtasks.exe
3788	schtasks.exe
4684	schtasks.exe
1528	schtasks.exe
4600	schtasks.exe
4444	schtasks.exe
1360	schtasks.exe
4028	schtasks.exe
1732	schtasks.exe
2004	schtasks.exe
3084	schtasks.exe
4876	schtasks.exe
4592	schtasks.exe
3368	schtasks.exe
480	schtasks.exe
4676	schtasks.exe
4296	schtasks.exe
4200	schtasks.exe
4192	schtasks.exe
100	schtasks.exe
536	schtasks.exe
3336	schtasks.exe
4656	schtasks.exe
1328	schtasks.exe
4672	schtasks.exe
4880	schtasks.exe
768	schtasks.exe
4312	schtasks.exe
1084	schtasks.exe
1220	schtasks.exe
224	schtasks.exe
4424	schtasks.exe
3512	schtasks.exe
2620	schtasks.exe
3108	schtasks.exe
2016	schtasks.exe
4496	schtasks.exe
428	schtasks.exe
3992	schtasks.exe
4756	schtasks.exe
1156	schtasks.exe
1668	schtasks.exe
116	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.execsrss.exe

pid	process
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
1896	csrss.exe
1896	csrss.exe
1896	csrss.exe
1896	csrss.exe
1896	csrss.exe
1896	csrss.exe
1896	csrss.exe
1896	csrss.exe
1896	csrss.exe
1896	csrss.exe
1896	csrss.exe
1896	csrss.exe
1896	csrss.exe
1896	csrss.exe
1896	csrss.exe
1896	csrss.exe
1896	csrss.exe
1896	csrss.exe
1896	csrss.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

csrss.exe

pid process

1896 csrss.exe

pid	process
1896	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.execsrss.exe

description	pid	process
Token: SeDebugPrivilege	2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
Token: SeDebugPrivilege	1896	csrss.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe

description	pid	process	target process
PID 2000 wrote to memory of 1896	2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe	csrss.exe
PID 2000 wrote to memory of 1896	2000	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe	csrss.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.execsrss.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
"C:\Users\Admin\AppData\Local\Temp\3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2000

C:\Windows\L2Schemas\csrss.exe
"C:\Windows\L2Schemas\csrss.exe"
2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\odt\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\odt\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\L2Schemas\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\L2Schemas\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\Download\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Download\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Update\Download\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\SystemResources\Windows.UI.Search\Images\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\SystemResources\Windows.UI.Search\Images\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\SystemResources\Windows.UI.Search\Images\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Windows\Web\Wallpaper\Theme1\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Theme1\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Windows\Web\Wallpaper\Theme1\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\CrashReports\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\CrashReports\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\odt\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Windows\PLA\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\PLA\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Windows\PLA\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\.oracle_jre_usage\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\.oracle_jre_usage\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\.oracle_jre_usage\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Bypass User Account Control

1

T1088

Scheduled Task

1

T1053

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\taskhostw.exe
Filesize
2.4MB

MD5
0e444044fdfea512ca18fc3396abb65b

SHA1
8b601ccad5b2a76967c0ca7579dc13d092307f34

SHA256
3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755

SHA512
7b58b88c7fbcd7b97d1a08f2145794beefa2960382140bac74f1f4fe630cdd0314cd9bceb599a32c56788df1e0e9dccf84c1598c52f9c581389327428696e119

Download Submit
C:\Windows\L2Schemas\csrss.exe
Filesize
2.4MB

MD5
0e444044fdfea512ca18fc3396abb65b

SHA1
8b601ccad5b2a76967c0ca7579dc13d092307f34

SHA256
3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755

SHA512
7b58b88c7fbcd7b97d1a08f2145794beefa2960382140bac74f1f4fe630cdd0314cd9bceb599a32c56788df1e0e9dccf84c1598c52f9c581389327428696e119

Download Submit
C:\Windows\L2Schemas\csrss.exe
Filesize
2.4MB

MD5
0e444044fdfea512ca18fc3396abb65b

SHA1
8b601ccad5b2a76967c0ca7579dc13d092307f34

SHA256
3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755

SHA512
7b58b88c7fbcd7b97d1a08f2145794beefa2960382140bac74f1f4fe630cdd0314cd9bceb599a32c56788df1e0e9dccf84c1598c52f9c581389327428696e119

Download Submit
memory/2000-133-0x0000000000AC0000-0x0000000000D38000-memory.dmp

Filesize
2.5MB

Download
memory/2000-134-0x000000001B830000-0x000000001B840000-memory.dmp

Filesize
64KB

Download
memory/2000-135-0x000000001D090000-0x000000001D0E0000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads