dcrat | d2e73b6112b25f6d4aac7ab6fbebecddbe4042cbad85f3926dc298c871c017e2

Analysis

max time kernel
44s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
24-03-2023 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DCRawwwftBuild.exe
Size

1.1MB
MD5

fc1382653001e36943a5a487aa04083e
SHA1

48e471cccc1894f6581d7a19daaf46ac9c219995
SHA256

d2e73b6112b25f6d4aac7ab6fbebecddbe4042cbad85f3926dc298c871c017e2
SHA512

d0d6740d5cb26876ee0f89d9bab8ee7dddaa18ae8899db236a48ab577f7d41b09a5418801fc1ee26bcf90af37116d5dc0a3254dc79e33871fe03192ab54774d8
SSDEEP

24576:U2G/nvxW3Ww0tRCSZnPWLTNL6sHH6Jr3W2QGJqE+s:UbA30RCcGNT6JTW9c

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	1448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	1448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	1448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	1448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	1448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	1448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	1448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	1448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	1448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	1448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	1448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	1448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	292	1448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	1448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	1448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	1448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	1448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	1448	schtasks.exe

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\bridgeMsPerfcrt\agentDhcp.exe	dcrat
\bridgeMsPerfcrt\agentDhcp.exe	dcrat
C:\bridgeMsPerfcrt\agentDhcp.exe	dcrat
\bridgeMsPerfcrt\agentDhcp.exe	dcrat
behavioral1/memory/1312-67-0x0000000001260000-0x0000000001336000-memory.dmp	dcrat
behavioral1/memory/1312-72-0x000000001B150000-0x000000001B1D0000-memory.dmp	dcrat
C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe	dcrat
C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\dwm.exe	dcrat
C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\dwm.exe	dcrat
behavioral1/memory/816-88-0x0000000000DC0000-0x0000000000E96000-memory.dmp	dcrat
behavioral1/memory/816-90-0x000000001B050000-0x000000001B0D0000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

Processes:

agentDhcp.exedwm.exe

pid process

1312 agentDhcp.exe
816 dwm.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1424 cmd.exe
1424 cmd.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ipinfo.io
7 ipinfo.io

pid	process
1424	cmd.exe
1424	cmd.exe

flow	ioc
6	ipinfo.io
7	ipinfo.io

Drops file in Program Files directory 4 IoCs

Processes:

agentDhcp.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\Office14\1033\886983d96e3d3e	agentDhcp.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\dwm.exe	agentDhcp.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\6cb0b6c459d5d3	agentDhcp.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\csrss.exe	agentDhcp.exe

Drops file in Windows directory 1 IoCs

Processes:

agentDhcp.exe

description ioc process

File created C:\Windows\schemas\EAPMethods\WmiPrvSE.exe agentDhcp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\schemas\EAPMethods\WmiPrvSE.exe	agentDhcp.exe

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
1800	schtasks.exe
808	schtasks.exe
292	schtasks.exe
1724	schtasks.exe
1596	schtasks.exe
912	schtasks.exe
896	schtasks.exe
1080	schtasks.exe
844	schtasks.exe
1956	schtasks.exe
668	schtasks.exe
1624	schtasks.exe
1512	schtasks.exe
1612	schtasks.exe
1968	schtasks.exe
1220	schtasks.exe
1524	schtasks.exe
1696	schtasks.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

dwm.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	dwm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	dwm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	dwm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	dwm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	dwm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	dwm.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

agentDhcp.exedwm.exe

pid	process
1312	agentDhcp.exe
1312	agentDhcp.exe
1312	agentDhcp.exe
816	dwm.exe
816	dwm.exe
816	dwm.exe
816	dwm.exe
816	dwm.exe
816	dwm.exe
816	dwm.exe
816	dwm.exe
816	dwm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

agentDhcp.exedwm.exe

description pid process

Token: SeDebugPrivilege 1312 agentDhcp.exe
Token: SeDebugPrivilege 816 dwm.exe

description	pid	process
Token: SeDebugPrivilege	1312	agentDhcp.exe
Token: SeDebugPrivilege	816	dwm.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

DCRawwwftBuild.exeWScript.execmd.exeagentDhcp.execmd.exe

description	pid	process	target process
PID 1696 wrote to memory of 852	1696	DCRawwwftBuild.exe	WScript.exe
PID 1696 wrote to memory of 852	1696	DCRawwwftBuild.exe	WScript.exe
PID 1696 wrote to memory of 852	1696	DCRawwwftBuild.exe	WScript.exe
PID 1696 wrote to memory of 852	1696	DCRawwwftBuild.exe	WScript.exe
PID 852 wrote to memory of 1424	852	WScript.exe	cmd.exe
PID 852 wrote to memory of 1424	852	WScript.exe	cmd.exe
PID 852 wrote to memory of 1424	852	WScript.exe	cmd.exe
PID 852 wrote to memory of 1424	852	WScript.exe	cmd.exe
PID 1424 wrote to memory of 1312	1424	cmd.exe	agentDhcp.exe
PID 1424 wrote to memory of 1312	1424	cmd.exe	agentDhcp.exe
PID 1424 wrote to memory of 1312	1424	cmd.exe	agentDhcp.exe
PID 1424 wrote to memory of 1312	1424	cmd.exe	agentDhcp.exe
PID 1312 wrote to memory of 1180	1312	agentDhcp.exe	cmd.exe
PID 1312 wrote to memory of 1180	1312	agentDhcp.exe	cmd.exe
PID 1312 wrote to memory of 1180	1312	agentDhcp.exe	cmd.exe
PID 1180 wrote to memory of 2036	1180	cmd.exe	w32tm.exe
PID 1180 wrote to memory of 2036	1180	cmd.exe	w32tm.exe
PID 1180 wrote to memory of 2036	1180	cmd.exe	w32tm.exe
PID 1180 wrote to memory of 816	1180	cmd.exe	dwm.exe
PID 1180 wrote to memory of 816	1180	cmd.exe	dwm.exe
PID 1180 wrote to memory of 816	1180	cmd.exe	dwm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\DCRawwwftBuild.exe
"C:\Users\Admin\AppData\Local\Temp\DCRawwwftBuild.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgeMsPerfcrt\lHsGbUd.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\bridgeMsPerfcrt\eTvovo7nc.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1424

C:\bridgeMsPerfcrt\agentDhcp.exe
"C:\bridgeMsPerfcrt\agentDhcp.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cWkBSqzw3R.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:2036

C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\dwm.exe
"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\dwm.exe"
6⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Templates\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Templates\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Templates\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\dwm.exe
Filesize
828KB

MD5
bfb3525f361dd6480d70a49dadfe4b87

SHA1
0c16b38c1cb4ebc776780ee8a63682404f89a736

SHA256
2c55a7859a58f35cd4c52fb1c9ad9fc93dc61c3242a5751399f6d4d911a3372c

SHA512
5200e7632112ccef4acc90b524d7c15c2d55c133dea6451eddc0eb381c18d72d6fe10ad17617eed6f2d8927d2657a7891d6ab555a96f131644af0a23fdc7e2d2

Download Submit
C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\dwm.exe
Filesize
828KB

MD5
bfb3525f361dd6480d70a49dadfe4b87

SHA1
0c16b38c1cb4ebc776780ee8a63682404f89a736

SHA256
2c55a7859a58f35cd4c52fb1c9ad9fc93dc61c3242a5751399f6d4d911a3372c

SHA512
5200e7632112ccef4acc90b524d7c15c2d55c133dea6451eddc0eb381c18d72d6fe10ad17617eed6f2d8927d2657a7891d6ab555a96f131644af0a23fdc7e2d2

Download Submit
C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe
Filesize
828KB

MD5
bfb3525f361dd6480d70a49dadfe4b87

SHA1
0c16b38c1cb4ebc776780ee8a63682404f89a736

SHA256
2c55a7859a58f35cd4c52fb1c9ad9fc93dc61c3242a5751399f6d4d911a3372c

SHA512
5200e7632112ccef4acc90b524d7c15c2d55c133dea6451eddc0eb381c18d72d6fe10ad17617eed6f2d8927d2657a7891d6ab555a96f131644af0a23fdc7e2d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
d93c242174aad81bfbf1148828a508c7

SHA1
856921e418134cb781b4d7144b186740be1afecd

SHA256
0a0c7fd6d02ba396cfffb937c036b5b8c76218cc8194a52886976c503038eafb

SHA512
db1debf29db52f03e74e594c3be04f75a46833689bec1811758cdddc8fed979b2841399450a6633207358b5d02cbad47891288301da8bcbb143afafa6bb462bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA660.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA9A2.tmp
Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\cWkBSqzw3R.bat
Filesize
246B

MD5
cd0a32863e20bf4e992852fa17b6dd48

SHA1
1aefe30bb72800ba59783b40604e51e82d2ab577

SHA256
ed22aa1c76987e6f40f2a1b99c7d17057ba57e5584089472a0a72f9afb9dd282

SHA512
e5696fe1330a7733b128088e16a426da548a22e734154af3d8eca70d6f657940896b97421f5719a0e6c85499b3eb56dac5911e94d16c33ab787b4e8b3a35fcf2

Download Submit
C:\bridgeMsPerfcrt\agentDhcp.exe
Filesize
828KB

MD5
bfb3525f361dd6480d70a49dadfe4b87

SHA1
0c16b38c1cb4ebc776780ee8a63682404f89a736

SHA256
2c55a7859a58f35cd4c52fb1c9ad9fc93dc61c3242a5751399f6d4d911a3372c

SHA512
5200e7632112ccef4acc90b524d7c15c2d55c133dea6451eddc0eb381c18d72d6fe10ad17617eed6f2d8927d2657a7891d6ab555a96f131644af0a23fdc7e2d2

Download Submit
C:\bridgeMsPerfcrt\agentDhcp.exe
Filesize
828KB

MD5
bfb3525f361dd6480d70a49dadfe4b87

SHA1
0c16b38c1cb4ebc776780ee8a63682404f89a736

SHA256
2c55a7859a58f35cd4c52fb1c9ad9fc93dc61c3242a5751399f6d4d911a3372c

SHA512
5200e7632112ccef4acc90b524d7c15c2d55c133dea6451eddc0eb381c18d72d6fe10ad17617eed6f2d8927d2657a7891d6ab555a96f131644af0a23fdc7e2d2

Download Submit
C:\bridgeMsPerfcrt\eTvovo7nc.bat
Filesize
34B

MD5
f61f3afffe07a890977d360b99f061ca

SHA1
fbca8ef86b50065fc88e321262970b73241fa0ee

SHA256
4c90ec3fb0e42dbfb4185938ce2eae6827e1372353a074c15d07be49b0978399

SHA512
9d642fb439f9ba6d3163e708dfa2e7f5e1b03b52441abfb985c3811d5d63a5397f319ec5e764ee5ab39648ba4b82ca963b1d067a47eee9f5b421f790be1be06a

Download Submit
C:\bridgeMsPerfcrt\lHsGbUd.vbe
Filesize
201B

MD5
927e9bc687e4c3946aa0e2a9b15f78cf

SHA1
b72aff1ba6dfe509bcef4a8f6ef83ec89128ed01

SHA256
6c02a45cb224d627e67dfcb194cda3ed037a334b14c7b52c3d350c642ac79937

SHA512
2adf5d0d58719d8c653fdc35245ec4f00c93d8940a94ac34965b32cbce04fd5bd5fc21618e9cca2ba4474113166c6161408a5bc6e09b7c478c33a02f630869c7

Download Submit
\bridgeMsPerfcrt\agentDhcp.exe
Filesize
828KB

MD5
bfb3525f361dd6480d70a49dadfe4b87

SHA1
0c16b38c1cb4ebc776780ee8a63682404f89a736

SHA256
2c55a7859a58f35cd4c52fb1c9ad9fc93dc61c3242a5751399f6d4d911a3372c

SHA512
5200e7632112ccef4acc90b524d7c15c2d55c133dea6451eddc0eb381c18d72d6fe10ad17617eed6f2d8927d2657a7891d6ab555a96f131644af0a23fdc7e2d2

Download Submit
\bridgeMsPerfcrt\agentDhcp.exe
Filesize
828KB

MD5
bfb3525f361dd6480d70a49dadfe4b87

SHA1
0c16b38c1cb4ebc776780ee8a63682404f89a736

SHA256
2c55a7859a58f35cd4c52fb1c9ad9fc93dc61c3242a5751399f6d4d911a3372c

SHA512
5200e7632112ccef4acc90b524d7c15c2d55c133dea6451eddc0eb381c18d72d6fe10ad17617eed6f2d8927d2657a7891d6ab555a96f131644af0a23fdc7e2d2

Download Submit
memory/816-88-0x0000000000DC0000-0x0000000000E96000-memory.dmp

Filesize
856KB

Download
memory/816-89-0x000000001B050000-0x000000001B0D0000-memory.dmp

Filesize
512KB

Download
memory/816-90-0x000000001B050000-0x000000001B0D0000-memory.dmp

Filesize
512KB

Download
memory/1312-72-0x000000001B150000-0x000000001B1D0000-memory.dmp

Filesize
512KB

Download
memory/1312-67-0x0000000001260000-0x0000000001336000-memory.dmp

Filesize
856KB

Download