dcrat | 93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a

Analysis

max time kernel
51s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12/06/2024, 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Size

1.2MB
MD5

253044d5ee570421130d5d18f2bc72fe
SHA1

2370fd8fed97ce646833df4eaa5014b376afba82
SHA256

93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a
SHA512

97f3b6588285fdbe171541f1b9549186624bf6b21a2bea91bda1689c02d983d14743c6b77dfe0688871bccbaa9269353770b60db427bfac1f316c06d70909616
SSDEEP

24576:Y9rma+UPCofPzH5GB2FeAgcichxYqo2B9ljwN:Y1maHTNgcijqo2vlk

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 11 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\MusNotification.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\Java\\jre-1.8\\lib\\ext\\winlogon.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\dllhost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\System.exe\", \"C:\\Program Files\\Windows Mail\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Program Files (x86)\\Common Files\\wininit.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\MusNotification.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\Java\\jre-1.8\\lib\\ext\\winlogon.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\dllhost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\System.exe\", \"C:\\Program Files\\Windows Mail\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Program Files (x86)\\Common Files\\wininit.exe\", \"C:\\Program Files (x86)\\MSBuild\\Idle.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\MusNotification.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\Java\\jre-1.8\\lib\\ext\\winlogon.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\MusNotification.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\Java\\jre-1.8\\lib\\ext\\winlogon.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\dllhost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\System.exe\", \"C:\\Program Files\\Windows Mail\\StartMenuExperienceHost.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\MusNotification.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\MusNotification.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\Java\\jre-1.8\\lib\\ext\\winlogon.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\dllhost.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\MusNotification.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\Java\\jre-1.8\\lib\\ext\\winlogon.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\dllhost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\System.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\MusNotification.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\Java\\jre-1.8\\lib\\ext\\winlogon.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\dllhost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\System.exe\", \"C:\\Program Files\\Windows Mail\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\MusNotification.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\Java\\jre-1.8\\lib\\ext\\winlogon.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\dllhost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\System.exe\", \"C:\\Program Files\\Windows Mail\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Program Files (x86)\\Common Files\\wininit.exe\", \"C:\\Program Files (x86)\\MSBuild\\Idle.exe\", \"C:\\Users\\Admin\\Saved Games\\Idle.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\MusNotification.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\MusNotification.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2100	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	2100	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	2100	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2100	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	2100	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2100	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	2100	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2100	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	2100	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	2100	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2100	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2100	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4196	2100	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2100	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2100	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3288	2100	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5096	2100	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2100	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3592	2100	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	2100	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2100	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3624	2100	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	2100	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	2100	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	2100	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	2100	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2100	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	2100	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	2100	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4276	2100	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	2100	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2100	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3344	2100	schtasks.exe	82

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2372-1-0x00000000009C0000-0x0000000000AF6000-memory.dmp	dcrat
behavioral2/files/0x00070000000233c7-15.dat	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe

Executes dropped EXE 1 IoCs

pid	Process
2668	dllhost.exe

Adds Run key to start application 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Internet Explorer\\en-US\\dllhost.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Windows Multimedia Platform\\System.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Recovery\\WindowsRE\\TextInputHost.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Recovery\\WindowsRE\\TextInputHost.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Common Files\\wininit.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\MSBuild\\Idle.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\MSBuild\\Idle.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Internet Explorer\\en-US\\dllhost.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Recovery\\WindowsRE\\sihost.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Windows Multimedia Platform\\System.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\WindowsRE\\spoolsv.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Java\\jre-1.8\\lib\\ext\\winlogon.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\Windows Mail\\StartMenuExperienceHost.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Admin\\Saved Games\\Idle.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\WindowsRE\\spoolsv.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MusNotification = "\"C:\\Recovery\\WindowsRE\\MusNotification.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Recovery\\WindowsRE\\sihost.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Java\\jre-1.8\\lib\\ext\\winlogon.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\Windows Mail\\StartMenuExperienceHost.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Common Files\\wininit.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Admin\\Saved Games\\Idle.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MusNotification = "\"C:\\Recovery\\WindowsRE\\MusNotification.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\StartMenuExperienceHost.exe	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
File created	C:\Program Files\Windows Mail\55b276f4edf653	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
File created	C:\Program Files (x86)\Common Files\wininit.exe	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
File created	C:\Program Files (x86)\Common Files\56085415360792	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\5940a34987c991	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
File created	C:\Program Files\Windows Multimedia Platform\System.exe	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
File created	C:\Program Files\Windows Multimedia Platform\27d1bcfc3c54e0	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
File created	C:\Program Files (x86)\MSBuild\Idle.exe	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
File created	C:\Program Files (x86)\MSBuild\6ccacd8608530f	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\winlogon.exe	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\cc11b995f2a76d	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\dllhost.exe	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1180	schtasks.exe
3592	schtasks.exe
836	schtasks.exe
752	schtasks.exe
4564	schtasks.exe
2456	schtasks.exe
4404	schtasks.exe
1920	schtasks.exe
4740	schtasks.exe
4196	schtasks.exe
2356	schtasks.exe
3288	schtasks.exe
5096	schtasks.exe
4888	schtasks.exe
4956	schtasks.exe
2648	schtasks.exe
4616	schtasks.exe
1864	schtasks.exe
3344	schtasks.exe
2972	schtasks.exe
2588	schtasks.exe
964	schtasks.exe
4276	schtasks.exe
1284	schtasks.exe
4936	schtasks.exe
3624	schtasks.exe
4536	schtasks.exe
700	schtasks.exe
2904	schtasks.exe
1308	schtasks.exe
1772	schtasks.exe
4732	schtasks.exe
1084	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2372	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
2372	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
2372	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
2372	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
2372	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
2372	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
2372	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
2372	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
2372	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
2372	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
2372	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
2372	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
2372	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
2372	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
2668	dllhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2372	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Token: SeDebugPrivilege	2668	dllhost.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2668	2372	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe	116
PID 2372 wrote to memory of 2668	2372	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
"C:\Users\Admin\AppData\Local\Temp\93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Program Files (x86)\Internet Explorer\en-US\dllhost.exe
  "C:\Program Files (x86)\Internet Explorer\en-US\dllhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre-1.8\lib\ext\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\lib\ext\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre-1.8\lib\ext\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Multimedia Platform\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Saved Games\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Saved Games\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\en-US\dllhost.exe

Filesize
1.2MB

MD5
253044d5ee570421130d5d18f2bc72fe

SHA1
2370fd8fed97ce646833df4eaa5014b376afba82

SHA256
93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a

SHA512
97f3b6588285fdbe171541f1b9549186624bf6b21a2bea91bda1689c02d983d14743c6b77dfe0688871bccbaa9269353770b60db427bfac1f316c06d70909616

Download Submit
memory/2372-0-0x00007FFE23A13000-0x00007FFE23A15000-memory.dmp

Filesize
8KB

Download
memory/2372-1-0x00000000009C0000-0x0000000000AF6000-memory.dmp

Filesize
1.2MB

Download
memory/2372-2-0x00007FFE23A10000-0x00007FFE244D1000-memory.dmp

Filesize
10.8MB

Download
memory/2372-3-0x0000000002D20000-0x0000000002D3C000-memory.dmp

Filesize
112KB

Download
memory/2372-4-0x000000001BD90000-0x000000001BDE0000-memory.dmp

Filesize
320KB

Download
memory/2372-6-0x0000000002D50000-0x0000000002D5E000-memory.dmp

Filesize
56KB

Download
memory/2372-5-0x000000001BC40000-0x000000001BC56000-memory.dmp

Filesize
88KB

Download
memory/2372-40-0x00007FFE23A10000-0x00007FFE244D1000-memory.dmp

Filesize
10.8MB

Download