dcrat | cca041e34546ca2022b7abbd6958921809b717c0c399832f1a162412d3be07b9

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18-05-2024 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Total order confirmation April 10 2017.exe
Size

1.5MB
MD5

d31daa3adb9285b7024438799d3a7fc8
SHA1

3a4a3684c7a475bae5b47aad1ad750996add764b
SHA256

ebdb910c35ce8b21168a4bda0dae16b3a64f66670763be89a81e322d8ddab431
SHA512

9d3febe2e0603e0f6d040dff42b194fa2be309260724f9bfc879fd72990718145a239a6817b8fbcf1fd1c2e3209896c94282fc88e9bc61d064b393f0b271d8dc
SSDEEP

49152:41wV28FzbXmsC/C2d4A7k5r3HN2i54kZW:VVvFzisC/r4UkJ3HN2i54mW

Score

10^/10

dcrat luminosity pony collection discovery infostealer persistence rat spyware stealer upx

Malware Config

Extracted

Family

pony

http://tcoolonline.mobi/wp-includes/css/Panel/gate.php

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Luminosity 2 IoCs

Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

rat luminosity

Processes:

schtasks.exeTotal order confirmation April 10 2017.exe

pid	process
1752	schtasks.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	Total order confirmation April 10 2017.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Executes dropped EXE 7 IoCs

Processes:

datalog.exesvchost.exedatalog.exesvchost.exesvchost.execlient.execlient.exe

pid process

2748 datalog.exe
2616 svchost.exe
2692 datalog.exe
2784 svchost.exe
2864 svchost.exe
1532 client.exe
888 client.exe

Loads dropped DLL 5 IoCs

Processes:

Total order confirmation April 10 2017.exesvchost.exe

pid	process
2792	Total order confirmation April 10 2017.exe
2792	Total order confirmation April 10 2017.exe
2792	Total order confirmation April 10 2017.exe
2792	Total order confirmation April 10 2017.exe
2616	svchost.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2864-79-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/2864-81-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/2864-83-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	svchost.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svchost.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeREG.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\""	REG.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 2616 set thread context of 2864 2616 svchost.exe svchost.exe

description	pid	process	target process
PID 2616 set thread context of 2864	2616	svchost.exe	svchost.exe

Drops file in Program Files directory 2 IoCs

Processes:

datalog.exe

description	ioc	process
File created	C:\Program Files (x86)\Client\client.exe	datalog.exe
File opened for modification	C:\Program Files (x86)\Client\client.exe	datalog.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1752 schtasks.exe

pid	process
1752	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Total order confirmation April 10 2017.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	Total order confirmation April 10 2017.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Total order confirmation April 10 2017.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Total order confirmation April 10 2017.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Total order confirmation April 10 2017.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

datalog.exesvchost.execmd.exe

pid	process
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2616	svchost.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
1760	cmd.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe
2748	datalog.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

Total order confirmation April 10 2017.exesvchost.exesvchost.exedatalog.exe

description	pid	process
Token: SeDebugPrivilege	2792	Total order confirmation April 10 2017.exe
Token: SeDebugPrivilege	2616	svchost.exe
Token: SeImpersonatePrivilege	2864	svchost.exe
Token: SeTcbPrivilege	2864	svchost.exe
Token: SeChangeNotifyPrivilege	2864	svchost.exe
Token: SeCreateTokenPrivilege	2864	svchost.exe
Token: SeBackupPrivilege	2864	svchost.exe
Token: SeRestorePrivilege	2864	svchost.exe
Token: SeIncreaseQuotaPrivilege	2864	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2864	svchost.exe
Token: SeDebugPrivilege	2748	datalog.exe
Token: SeImpersonatePrivilege	2864	svchost.exe
Token: SeTcbPrivilege	2864	svchost.exe
Token: SeChangeNotifyPrivilege	2864	svchost.exe
Token: SeCreateTokenPrivilege	2864	svchost.exe
Token: SeBackupPrivilege	2864	svchost.exe
Token: SeRestorePrivilege	2864	svchost.exe
Token: SeIncreaseQuotaPrivilege	2864	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2864	svchost.exe
Token: SeImpersonatePrivilege	2864	svchost.exe
Token: SeTcbPrivilege	2864	svchost.exe
Token: SeChangeNotifyPrivilege	2864	svchost.exe
Token: SeCreateTokenPrivilege	2864	svchost.exe
Token: SeBackupPrivilege	2864	svchost.exe
Token: SeRestorePrivilege	2864	svchost.exe
Token: SeIncreaseQuotaPrivilege	2864	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2864	svchost.exe
Token: SeImpersonatePrivilege	2864	svchost.exe
Token: SeTcbPrivilege	2864	svchost.exe
Token: SeChangeNotifyPrivilege	2864	svchost.exe
Token: SeCreateTokenPrivilege	2864	svchost.exe
Token: SeBackupPrivilege	2864	svchost.exe
Token: SeRestorePrivilege	2864	svchost.exe
Token: SeIncreaseQuotaPrivilege	2864	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2864	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

datalog.exe

pid process

2748 datalog.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

Total order confirmation April 10 2017.exesvchost.exedatalog.exesvchost.exetaskeng.exe

description	pid	process	target process
PID 2792 wrote to memory of 2748	2792	Total order confirmation April 10 2017.exe	datalog.exe
PID 2792 wrote to memory of 2748	2792	Total order confirmation April 10 2017.exe	datalog.exe
PID 2792 wrote to memory of 2748	2792	Total order confirmation April 10 2017.exe	datalog.exe
PID 2792 wrote to memory of 2748	2792	Total order confirmation April 10 2017.exe	datalog.exe
PID 2792 wrote to memory of 2616	2792	Total order confirmation April 10 2017.exe	svchost.exe
PID 2792 wrote to memory of 2616	2792	Total order confirmation April 10 2017.exe	svchost.exe
PID 2792 wrote to memory of 2616	2792	Total order confirmation April 10 2017.exe	svchost.exe
PID 2792 wrote to memory of 2616	2792	Total order confirmation April 10 2017.exe	svchost.exe
PID 2616 wrote to memory of 2692	2616	svchost.exe	datalog.exe
PID 2616 wrote to memory of 2692	2616	svchost.exe	datalog.exe
PID 2616 wrote to memory of 2692	2616	svchost.exe	datalog.exe
PID 2616 wrote to memory of 2692	2616	svchost.exe	datalog.exe
PID 2616 wrote to memory of 2784	2616	svchost.exe	svchost.exe
PID 2616 wrote to memory of 2784	2616	svchost.exe	svchost.exe
PID 2616 wrote to memory of 2784	2616	svchost.exe	svchost.exe
PID 2616 wrote to memory of 2784	2616	svchost.exe	svchost.exe
PID 2616 wrote to memory of 2864	2616	svchost.exe	svchost.exe
PID 2616 wrote to memory of 2864	2616	svchost.exe	svchost.exe
PID 2616 wrote to memory of 2864	2616	svchost.exe	svchost.exe
PID 2616 wrote to memory of 2864	2616	svchost.exe	svchost.exe
PID 2616 wrote to memory of 2864	2616	svchost.exe	svchost.exe
PID 2616 wrote to memory of 2864	2616	svchost.exe	svchost.exe
PID 2616 wrote to memory of 2864	2616	svchost.exe	svchost.exe
PID 2616 wrote to memory of 2864	2616	svchost.exe	svchost.exe
PID 2616 wrote to memory of 2864	2616	svchost.exe	svchost.exe
PID 2748 wrote to memory of 1752	2748	datalog.exe	schtasks.exe
PID 2748 wrote to memory of 1752	2748	datalog.exe	schtasks.exe
PID 2748 wrote to memory of 1752	2748	datalog.exe	schtasks.exe
PID 2748 wrote to memory of 1752	2748	datalog.exe	schtasks.exe
PID 2864 wrote to memory of 1760	2864	svchost.exe	cmd.exe
PID 2864 wrote to memory of 1760	2864	svchost.exe	cmd.exe
PID 2864 wrote to memory of 1760	2864	svchost.exe	cmd.exe
PID 2864 wrote to memory of 1760	2864	svchost.exe	cmd.exe
PID 2748 wrote to memory of 2616	2748	datalog.exe	svchost.exe
PID 2748 wrote to memory of 2616	2748	datalog.exe	svchost.exe
PID 2748 wrote to memory of 2616	2748	datalog.exe	svchost.exe
PID 2748 wrote to memory of 2616	2748	datalog.exe	svchost.exe
PID 2748 wrote to memory of 2616	2748	datalog.exe	svchost.exe
PID 2748 wrote to memory of 1760	2748	datalog.exe	cmd.exe
PID 2748 wrote to memory of 1760	2748	datalog.exe	cmd.exe
PID 2748 wrote to memory of 1760	2748	datalog.exe	cmd.exe
PID 2748 wrote to memory of 1760	2748	datalog.exe	cmd.exe
PID 2748 wrote to memory of 1760	2748	datalog.exe	cmd.exe
PID 1368 wrote to memory of 1532	1368	taskeng.exe	client.exe
PID 1368 wrote to memory of 1532	1368	taskeng.exe	client.exe
PID 1368 wrote to memory of 1532	1368	taskeng.exe	client.exe
PID 1368 wrote to memory of 1532	1368	taskeng.exe	client.exe
PID 2748 wrote to memory of 2160	2748	datalog.exe	REG.exe
PID 2748 wrote to memory of 2160	2748	datalog.exe	REG.exe
PID 2748 wrote to memory of 2160	2748	datalog.exe	REG.exe
PID 2748 wrote to memory of 2160	2748	datalog.exe	REG.exe
PID 1368 wrote to memory of 888	1368	taskeng.exe	client.exe
PID 1368 wrote to memory of 888	1368	taskeng.exe	client.exe
PID 1368 wrote to memory of 888	1368	taskeng.exe	client.exe
PID 1368 wrote to memory of 888	1368	taskeng.exe	client.exe

outlook_win_path 1 IoCs

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svchost.exe

C:\Users\Admin\AppData\Local\Temp\Total order confirmation April 10 2017.exe
"C:\Users\Admin\AppData\Local\Temp\Total order confirmation April 10 2017.exe"
1⤵
- Luminosity
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Users\Admin\AppData\Roaming\datalog.exe
  "C:\Users\Admin\AppData\Roaming\datalog.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /sc MINUTE /f /rl highest
    3⤵
    - Luminosity
    - Creates scheduled task(s)
    PID:1752
- - C:\Windows\SysWOW64\REG.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
    3⤵
    - Adds Run key to start application
    PID:2160
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Users\Admin\AppData\Roaming\datalog.exe
    "C:\Users\Admin\AppData\Roaming\datalog.exe"
    3⤵
    - Executes dropped EXE
    PID:2692
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe "
    3⤵
    - Executes dropped EXE
    PID:2784
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe "
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook accounts
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - outlook_win_path
    PID:2864
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\259412970.bat" "C:\Users\Admin\AppData\Roaming\svchost.exe" "
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1760

C:\Windows\system32\taskeng.exe
taskeng.exe {1EA95679-2645-4004-92C3-4AF400F02AA1} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Program Files (x86)\Client\client.exe
  "C:\Program Files (x86)\Client\client.exe" /startup
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Program Files (x86)\Client\client.exe
  "C:\Program Files (x86)\Client\client.exe" /startup
  2⤵
  - Executes dropped EXE
  PID:888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

Filesize
471B

MD5
b401341fc85ff1df5516bfefd6966903

SHA1
56308be824e854fc85368b26d6252db4b49682b6

SHA256
fc2ecd873fa745b68f48544e085634c168f00a7027c36fec6bc4adddc3249073

SHA512
c26dd408ab05a9d83b5c3f4986f895f4eba73e957b1d6f2141e76ac14813ca636b674b5fe67bad4927f2048e4f0af72dbadcd059751bd476695e1d24131bbac4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_502BB733848926DD3139F2342144B39C

Filesize
471B

MD5
40efe1a83e4a4b9b0b6a15d324440c09

SHA1
3e8c2705ef0bea8646e64e367d4d2c094664313e

SHA256
5985a3230044b7432ea48d6dc23fcb215c39d04224f77ffa0a8b2481fe03d4de

SHA512
0aa1a219b42fbb95e99a5632791494246916f2c5dbc453cad2bf14a531ae91fd0d7f348b72ec35a97966e33b969b7fe356f1904a00b225926378838c082fa328

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

Filesize
404B

MD5
9ed8deae946a9ed0ac5ffdb1b048a306

SHA1
07cbca2ee6ede3a1755e23c667e58f0e081e2817

SHA256
af03f6c920fb98f49dcc28bf23b6e4e2f53762d7e398a4ab50af4437aef9d978

SHA512
f396d891fdd0d8b98aa280a00b7e6753483e3fdb406f5e90ac9c04bf74d571bf3beb8a7a0e99f6e6c43263045e345294aa3f7f336eb2fefa9dbdf1dadff5105f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_502BB733848926DD3139F2342144B39C

Filesize
404B

MD5
82fb5b8f8922fcd5f57df6738888272d

SHA1
363daa74542b85389f73b66129fc180660bd7950

SHA256
f6007dea28606b9d532c24d94462450e78bb07b102a8152f291d03e6f63828b3

SHA512
6bb098e63fda92f291aa6eb6e590b2cc54dcb70a5526e0b042b2782befa96cb7090361795bb34d7dfb9f0d92b7374991fddd59dcf6bff3237a80ee755baa21a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
7d310b621715614ec64b4bdda64e7d82

SHA1
a47012692fa8b24535089a47104908cd52e461be

SHA256
3ced5d4d2fabbe3b562910fce6d552e083c1012cd82d23fc6fc448002aa8e697

SHA512
043770b1eb1dac4b9fdd799ce5548d3e3b366b76ef9299d80981c5a1d72445de0c5508f194c235322993c982f6d736aca69a72126c793a3521059a7de2522b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\259412970.bat

Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2A1D.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
1.5MB

MD5
d31daa3adb9285b7024438799d3a7fc8

SHA1
3a4a3684c7a475bae5b47aad1ad750996add764b

SHA256
ebdb910c35ce8b21168a4bda0dae16b3a64f66670763be89a81e322d8ddab431

SHA512
9d3febe2e0603e0f6d040dff42b194fa2be309260724f9bfc879fd72990718145a239a6817b8fbcf1fd1c2e3209896c94282fc88e9bc61d064b393f0b271d8dc

Download Submit
\Users\Admin\AppData\Roaming\datalog.exe

Filesize
856KB

MD5
6f354cc37a8d6f4c0f2a252ca5830275

SHA1
f4f42bccbb5f3ae12e807fae97986e138d1b405d

SHA256
c76034635528117e1b8b59c9c549a58c17b2f63f13b0d92b015f462c38317942

SHA512
19f1ca7a911acd944f985c1b043cd9914633bf97d420064a5ed5baa9efff8cbb4721797ed27b4354e5912d2be2bfde690d2fa2faf28e4181bf0612c41446dc3f

Download Submit
memory/1760-114-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1760-111-0x0000000000130000-0x0000000000147000-memory.dmp

Filesize
92KB

Download
memory/1760-109-0x0000000000130000-0x0000000000147000-memory.dmp

Filesize
92KB

Download
memory/1760-115-0x0000000000130000-0x0000000000147000-memory.dmp

Filesize
92KB

Download
memory/1760-107-0x0000000000130000-0x0000000000147000-memory.dmp

Filesize
92KB

Download
memory/2616-99-0x00000000007E0000-0x00000000007F7000-memory.dmp

Filesize
92KB

Download
memory/2616-129-0x00000000007E0000-0x00000000007F7000-memory.dmp

Filesize
92KB

Download
memory/2616-93-0x00000000007E0000-0x00000000007F7000-memory.dmp

Filesize
92KB

Download
memory/2616-94-0x00000000007E0000-0x00000000007F7000-memory.dmp

Filesize
92KB

Download
memory/2616-102-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/2616-100-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/2616-103-0x00000000007E0000-0x00000000007F7000-memory.dmp

Filesize
92KB

Download
memory/2616-97-0x00000000007E0000-0x00000000007F7000-memory.dmp

Filesize
92KB

Download
memory/2616-95-0x00000000007E0000-0x00000000007F7000-memory.dmp

Filesize
92KB

Download
memory/2748-57-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/2748-117-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/2748-48-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/2748-61-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/2792-0-0x0000000074741000-0x0000000074742000-memory.dmp

Filesize
4KB

Download
memory/2792-62-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/2792-1-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/2864-81-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2864-79-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2864-83-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download