dcrat | cca041e34546ca2022b7abbd6958921809b717c0c399832f1a162412d3be07b9

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
29-05-2024 21:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Total order confirmation April 10 2017.exe
Size

1.5MB
MD5

d31daa3adb9285b7024438799d3a7fc8
SHA1

3a4a3684c7a475bae5b47aad1ad750996add764b
SHA256

ebdb910c35ce8b21168a4bda0dae16b3a64f66670763be89a81e322d8ddab431
SHA512

9d3febe2e0603e0f6d040dff42b194fa2be309260724f9bfc879fd72990718145a239a6817b8fbcf1fd1c2e3209896c94282fc88e9bc61d064b393f0b271d8dc
SSDEEP

49152:41wV28FzbXmsC/C2d4A7k5r3HN2i54kZW:VVvFzisC/r4UkJ3HN2i54mW

Score

10^/10

dcrat luminosity pony collection discovery infostealer persistence rat spyware stealer upx

Malware Config

Extracted

Family

pony

http://tcoolonline.mobi/wp-includes/css/Panel/gate.php

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Luminosity 2 IoCs

Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

rat luminosity

Processes:

Total order confirmation April 10 2017.exeschtasks.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	Total order confirmation April 10 2017.exe
308	schtasks.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Executes dropped EXE 6 IoCs

Processes:

datalog.exesvchost.exedatalog.exesvchost.execlient.execlient.exe

pid process

2704 datalog.exe
2536 svchost.exe
2888 datalog.exe
2936 svchost.exe
1124 client.exe
2856 client.exe

Loads dropped DLL 5 IoCs

Processes:

Total order confirmation April 10 2017.exesvchost.exe

pid	process
2364	Total order confirmation April 10 2017.exe
2364	Total order confirmation April 10 2017.exe
2364	Total order confirmation April 10 2017.exe
2364	Total order confirmation April 10 2017.exe
2536	svchost.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2936-79-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/2936-82-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/2936-81-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	svchost.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svchost.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeREG.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\""	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 2536 set thread context of 2936 2536 svchost.exe svchost.exe

description	pid	process	target process
PID 2536 set thread context of 2936	2536	svchost.exe	svchost.exe

Drops file in Program Files directory 2 IoCs

Processes:

datalog.exe

description	ioc	process
File created	C:\Program Files (x86)\Client\client.exe	datalog.exe
File opened for modification	C:\Program Files (x86)\Client\client.exe	datalog.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

308 schtasks.exe

pid	process
308	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Total order confirmation April 10 2017.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	Total order confirmation April 10 2017.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Total order confirmation April 10 2017.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Total order confirmation April 10 2017.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Total order confirmation April 10 2017.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

datalog.exesvchost.exesvchost.execmd.exe

pid	process
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2936	svchost.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2536	svchost.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
1304	cmd.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe
2704	datalog.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

Total order confirmation April 10 2017.exesvchost.exesvchost.exedatalog.exe

description	pid	process
Token: SeDebugPrivilege	2364	Total order confirmation April 10 2017.exe
Token: SeDebugPrivilege	2536	svchost.exe
Token: SeImpersonatePrivilege	2936	svchost.exe
Token: SeTcbPrivilege	2936	svchost.exe
Token: SeChangeNotifyPrivilege	2936	svchost.exe
Token: SeCreateTokenPrivilege	2936	svchost.exe
Token: SeBackupPrivilege	2936	svchost.exe
Token: SeRestorePrivilege	2936	svchost.exe
Token: SeIncreaseQuotaPrivilege	2936	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2936	svchost.exe
Token: SeDebugPrivilege	2704	datalog.exe
Token: SeImpersonatePrivilege	2936	svchost.exe
Token: SeTcbPrivilege	2936	svchost.exe
Token: SeChangeNotifyPrivilege	2936	svchost.exe
Token: SeCreateTokenPrivilege	2936	svchost.exe
Token: SeBackupPrivilege	2936	svchost.exe
Token: SeRestorePrivilege	2936	svchost.exe
Token: SeIncreaseQuotaPrivilege	2936	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2936	svchost.exe
Token: SeImpersonatePrivilege	2936	svchost.exe
Token: SeTcbPrivilege	2936	svchost.exe
Token: SeChangeNotifyPrivilege	2936	svchost.exe
Token: SeCreateTokenPrivilege	2936	svchost.exe
Token: SeBackupPrivilege	2936	svchost.exe
Token: SeRestorePrivilege	2936	svchost.exe
Token: SeIncreaseQuotaPrivilege	2936	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2936	svchost.exe
Token: SeImpersonatePrivilege	2936	svchost.exe
Token: SeTcbPrivilege	2936	svchost.exe
Token: SeChangeNotifyPrivilege	2936	svchost.exe
Token: SeCreateTokenPrivilege	2936	svchost.exe
Token: SeBackupPrivilege	2936	svchost.exe
Token: SeRestorePrivilege	2936	svchost.exe
Token: SeIncreaseQuotaPrivilege	2936	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2936	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

datalog.exe

pid process

2704 datalog.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

Total order confirmation April 10 2017.exesvchost.exedatalog.exesvchost.exetaskeng.exe

description	pid	process	target process
PID 2364 wrote to memory of 2704	2364	Total order confirmation April 10 2017.exe	datalog.exe
PID 2364 wrote to memory of 2704	2364	Total order confirmation April 10 2017.exe	datalog.exe
PID 2364 wrote to memory of 2704	2364	Total order confirmation April 10 2017.exe	datalog.exe
PID 2364 wrote to memory of 2704	2364	Total order confirmation April 10 2017.exe	datalog.exe
PID 2364 wrote to memory of 2536	2364	Total order confirmation April 10 2017.exe	svchost.exe
PID 2364 wrote to memory of 2536	2364	Total order confirmation April 10 2017.exe	svchost.exe
PID 2364 wrote to memory of 2536	2364	Total order confirmation April 10 2017.exe	svchost.exe
PID 2364 wrote to memory of 2536	2364	Total order confirmation April 10 2017.exe	svchost.exe
PID 2536 wrote to memory of 2888	2536	svchost.exe	datalog.exe
PID 2536 wrote to memory of 2888	2536	svchost.exe	datalog.exe
PID 2536 wrote to memory of 2888	2536	svchost.exe	datalog.exe
PID 2536 wrote to memory of 2888	2536	svchost.exe	datalog.exe
PID 2536 wrote to memory of 2936	2536	svchost.exe	svchost.exe
PID 2536 wrote to memory of 2936	2536	svchost.exe	svchost.exe
PID 2536 wrote to memory of 2936	2536	svchost.exe	svchost.exe
PID 2536 wrote to memory of 2936	2536	svchost.exe	svchost.exe
PID 2536 wrote to memory of 2936	2536	svchost.exe	svchost.exe
PID 2536 wrote to memory of 2936	2536	svchost.exe	svchost.exe
PID 2536 wrote to memory of 2936	2536	svchost.exe	svchost.exe
PID 2536 wrote to memory of 2936	2536	svchost.exe	svchost.exe
PID 2536 wrote to memory of 2936	2536	svchost.exe	svchost.exe
PID 2704 wrote to memory of 308	2704	datalog.exe	schtasks.exe
PID 2704 wrote to memory of 308	2704	datalog.exe	schtasks.exe
PID 2704 wrote to memory of 308	2704	datalog.exe	schtasks.exe
PID 2704 wrote to memory of 308	2704	datalog.exe	schtasks.exe
PID 2704 wrote to memory of 2936	2704	datalog.exe	svchost.exe
PID 2704 wrote to memory of 2936	2704	datalog.exe	svchost.exe
PID 2704 wrote to memory of 2936	2704	datalog.exe	svchost.exe
PID 2704 wrote to memory of 2936	2704	datalog.exe	svchost.exe
PID 2704 wrote to memory of 2936	2704	datalog.exe	svchost.exe
PID 2936 wrote to memory of 1304	2936	svchost.exe	cmd.exe
PID 2936 wrote to memory of 1304	2936	svchost.exe	cmd.exe
PID 2936 wrote to memory of 1304	2936	svchost.exe	cmd.exe
PID 2936 wrote to memory of 1304	2936	svchost.exe	cmd.exe
PID 2704 wrote to memory of 2536	2704	datalog.exe	svchost.exe
PID 2704 wrote to memory of 2536	2704	datalog.exe	svchost.exe
PID 2704 wrote to memory of 2536	2704	datalog.exe	svchost.exe
PID 2704 wrote to memory of 2536	2704	datalog.exe	svchost.exe
PID 2704 wrote to memory of 2536	2704	datalog.exe	svchost.exe
PID 2704 wrote to memory of 1304	2704	datalog.exe	cmd.exe
PID 2704 wrote to memory of 1304	2704	datalog.exe	cmd.exe
PID 2704 wrote to memory of 1304	2704	datalog.exe	cmd.exe
PID 2704 wrote to memory of 1304	2704	datalog.exe	cmd.exe
PID 2704 wrote to memory of 1304	2704	datalog.exe	cmd.exe
PID 784 wrote to memory of 1124	784	taskeng.exe	client.exe
PID 784 wrote to memory of 1124	784	taskeng.exe	client.exe
PID 784 wrote to memory of 1124	784	taskeng.exe	client.exe
PID 784 wrote to memory of 1124	784	taskeng.exe	client.exe
PID 2704 wrote to memory of 1564	2704	datalog.exe	REG.exe
PID 2704 wrote to memory of 1564	2704	datalog.exe	REG.exe
PID 2704 wrote to memory of 1564	2704	datalog.exe	REG.exe
PID 2704 wrote to memory of 1564	2704	datalog.exe	REG.exe
PID 784 wrote to memory of 2856	784	taskeng.exe	client.exe
PID 784 wrote to memory of 2856	784	taskeng.exe	client.exe
PID 784 wrote to memory of 2856	784	taskeng.exe	client.exe
PID 784 wrote to memory of 2856	784	taskeng.exe	client.exe

outlook_win_path 1 IoCs

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svchost.exe

C:\Users\Admin\AppData\Local\Temp\Total order confirmation April 10 2017.exe
"C:\Users\Admin\AppData\Local\Temp\Total order confirmation April 10 2017.exe"
1⤵
- Luminosity
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364

C:\Users\Admin\AppData\Roaming\datalog.exe
"C:\Users\Admin\AppData\Roaming\datalog.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /sc MINUTE /f /rl highest
3⤵
- Luminosity
- Creates scheduled task(s)
PID:308

C:\Windows\SysWOW64\REG.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
3⤵
- Adds Run key to start application
PID:1564

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536

C:\Users\Admin\AppData\Roaming\datalog.exe
"C:\Users\Admin\AppData\Roaming\datalog.exe"
3⤵
- Executes dropped EXE
PID:2888

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe "
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:2936

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\259411410.bat" "C:\Users\Admin\AppData\Roaming\svchost.exe" "
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1304

C:\Windows\system32\taskeng.exe
taskeng.exe {A7DD7787-1C2A-4869-8BEA-77510E9072F1} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:784

C:\Program Files (x86)\Client\client.exe
"C:\Program Files (x86)\Client\client.exe" /startup
2⤵
- Executes dropped EXE
PID:1124

C:\Program Files (x86)\Client\client.exe
"C:\Program Files (x86)\Client\client.exe" /startup
2⤵
- Executes dropped EXE
PID:2856

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
Filesize
471B

MD5
c9dde86d6bfb98eb2d25af219d46850b

SHA1
bc3564b7c2bc11cef1f7aafcb91f973e26fea135

SHA256
e26cf32e2cc2bfb472aeea14b1428b760f95fc17117204f146187bf3b8fa4144

SHA512
43e3b7b52493bd161b3d30719e1c0838b1f8b14c1b5e4ad51c5f113cbe4d4c470c2e0e81ed1abe32a006e029c1479aae483f0d7b81d8a50c11e3077edf0c5d52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_502BB733848926DD3139F2342144B39C
Filesize
471B

MD5
c1bc7e4db392d902cd4b515212ff9be0

SHA1
98f5a2248d77fe52f276bfe1c6108ef957b11667

SHA256
c53628b25e94add0515b21957043d73f9d80bf0a6ac6c96149c3e6c7abd1e1f6

SHA512
75294a9aff66e69adf6abbcde303e1fc6034f23999dee152ed6775a57934b128424f47e979d0d7e32f61873560208f6662c6f93f59f069727731b7d914251b60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
Filesize
404B

MD5
1a78d816ee3b89aa24007117fca5d316

SHA1
54dd9fa8615eb2b509bed890e817e1158e32ada8

SHA256
8e141d8b69e5d3113859409922f0affa70ada9f1c84d7c624420a725b4436d2c

SHA512
fc20139971dfa59d7bdc66856118f73f4e7b3df9fae3181c2a6fa9204cbf44f1f854d98a495837e3b0393bca863672448d7d8c6fd3bb2d2f11095c07a497bcb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_502BB733848926DD3139F2342144B39C
Filesize
404B

MD5
9f6966dfa851a13661820435214d4327

SHA1
ef3a0f54e46f2d38b977c5b1a602c442f5b2e3fe

SHA256
fd5dfa699381a569f1e5109eb97a653bc59b36dea2d2141ec0e48a912efae2f3

SHA512
98a9438a7422a277cfc36492e0c94f225d241b79d93ea4b7c643003394ac17b202aba741ff8bdb2dc0125c671dddf64ed3aef916a3934374a34625b3a86fae2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
d1b9aed9b16f48b374169331d8c0349f

SHA1
f3d891ea070c249d48420c81b07dcd707f41ae44

SHA256
8f00948cf41e4a26af8f1d5e3df8b15ec4c746d535d7193b6ff8e71b61aa249d

SHA512
20bd36dd0bf260aeb8c42ee5602d0703443f1d5f45329c47fd6fc536fbb738afc2323c4a1462188a34e868f1de8fec22a69d6b20744e8d74dcb64fd5495f98cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\259411410.bat
Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2405.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
1.5MB

MD5
d31daa3adb9285b7024438799d3a7fc8

SHA1
3a4a3684c7a475bae5b47aad1ad750996add764b

SHA256
ebdb910c35ce8b21168a4bda0dae16b3a64f66670763be89a81e322d8ddab431

SHA512
9d3febe2e0603e0f6d040dff42b194fa2be309260724f9bfc879fd72990718145a239a6817b8fbcf1fd1c2e3209896c94282fc88e9bc61d064b393f0b271d8dc

Download Submit
\Users\Admin\AppData\Roaming\datalog.exe
Filesize
856KB

MD5
6f354cc37a8d6f4c0f2a252ca5830275

SHA1
f4f42bccbb5f3ae12e807fae97986e138d1b405d

SHA256
c76034635528117e1b8b59c9c549a58c17b2f63f13b0d92b015f462c38317942

SHA512
19f1ca7a911acd944f985c1b043cd9914633bf97d420064a5ed5baa9efff8cbb4721797ed27b4354e5912d2be2bfde690d2fa2faf28e4181bf0612c41446dc3f

Download Submit
memory/1304-128-0x0000000000170000-0x0000000000187000-memory.dmp

Filesize
92KB

Download
memory/1304-120-0x0000000000170000-0x0000000000187000-memory.dmp

Filesize
92KB

Download
memory/1304-122-0x0000000000170000-0x0000000000187000-memory.dmp

Filesize
92KB

Download
memory/1304-124-0x0000000000170000-0x0000000000187000-memory.dmp

Filesize
92KB

Download
memory/1304-127-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2364-2-0x0000000074ED0000-0x000000007547B000-memory.dmp

Filesize
5.7MB

Download
memory/2364-1-0x0000000074ED0000-0x000000007547B000-memory.dmp

Filesize
5.7MB

Download
memory/2364-62-0x0000000074ED0000-0x000000007547B000-memory.dmp

Filesize
5.7MB

Download
memory/2364-0-0x0000000074ED1000-0x0000000074ED2000-memory.dmp

Filesize
4KB

Download
memory/2536-112-0x0000000000550000-0x0000000000567000-memory.dmp

Filesize
92KB

Download
memory/2536-115-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2536-142-0x0000000000550000-0x0000000000567000-memory.dmp

Filesize
92KB

Download
memory/2536-116-0x0000000000550000-0x0000000000567000-memory.dmp

Filesize
92KB

Download
memory/2536-108-0x0000000000550000-0x0000000000567000-memory.dmp

Filesize
92KB

Download
memory/2536-110-0x0000000000550000-0x0000000000567000-memory.dmp

Filesize
92KB

Download
memory/2704-130-0x0000000074ED0000-0x000000007547B000-memory.dmp

Filesize
5.7MB

Download
memory/2704-51-0x0000000074ED0000-0x000000007547B000-memory.dmp

Filesize
5.7MB

Download
memory/2704-61-0x0000000074ED0000-0x000000007547B000-memory.dmp

Filesize
5.7MB

Download
memory/2704-60-0x0000000074ED0000-0x000000007547B000-memory.dmp

Filesize
5.7MB

Download
memory/2936-81-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2936-85-0x0000000000140000-0x0000000000157000-memory.dmp

Filesize
92KB

Download
memory/2936-104-0x0000000000140000-0x0000000000157000-memory.dmp

Filesize
92KB

Download
memory/2936-84-0x0000000000140000-0x0000000000157000-memory.dmp

Filesize
92KB

Download
memory/2936-94-0x0000000000140000-0x0000000000157000-memory.dmp

Filesize
92KB

Download
memory/2936-82-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2936-79-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2936-88-0x0000000000140000-0x0000000000157000-memory.dmp

Filesize
92KB

Download
memory/2936-90-0x0000000000140000-0x0000000000157000-memory.dmp

Filesize
92KB

Download
memory/2936-91-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2936-93-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2936-86-0x0000000000140000-0x0000000000157000-memory.dmp

Filesize
92KB

Download