Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
19-07-2024 10:14
Behavioral task
behavioral1
Sample
SandeLLoCHECKER_Installer (2).exe
Resource
win11-20240709-en
General
-
Target
SandeLLoCHECKER_Installer (2).exe
-
Size
1.5MB
-
MD5
4c52459e292810c1197ed6f2e6486375
-
SHA1
12f8ef89e298d758b61b8104aca610ddce9b5b4e
-
SHA256
513bdf8d578fc535a41943fb900c32dc29de645bb9327ab3497b13632e04c6fc
-
SHA512
47bf5deb7661948f84aa8319921ab19dd70e4751475d1682578960d30420c14842f3784f1e416472c252efd3411278711d85ec103664601062606da5a18debe7
-
SSDEEP
24576:62G/nvxW3WvwD4cm7HZi6ABOSJcv9c3B8Z3Mnge2RxpA2UQXN58xTY6+2e:6bA3JDDmk6ocv9c3PiixiU+Z
Malware Config
Signatures
-
DcRat 28 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeSandeLLoCHECKER_Installer (2).exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3496 schtasks.exe 3168 schtasks.exe 3364 schtasks.exe 2520 schtasks.exe 3340 schtasks.exe 1796 schtasks.exe 3140 schtasks.exe 2440 schtasks.exe 3600 schtasks.exe 4412 schtasks.exe 3892 schtasks.exe 3088 schtasks.exe 396 schtasks.exe 2984 schtasks.exe 1188 schtasks.exe 1108 schtasks.exe 5032 schtasks.exe 3768 schtasks.exe 1508 schtasks.exe Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings SandeLLoCHECKER_Installer (2).exe 1560 schtasks.exe 1240 schtasks.exe 1288 schtasks.exe 2904 schtasks.exe 1936 schtasks.exe 4048 schtasks.exe 4524 schtasks.exe 3192 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 9 IoCs
Processes:
surrogateweb.exesurrogateweb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\chainproviderBrowsersvc\\Idle.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\chainproviderBrowsersvc\\Idle.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\chainproviderBrowsersvc\\Idle.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\fontdrvhost.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\chainproviderBrowsersvc\\Idle.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\fontdrvhost.exe\", \"C:\\Windows\\Help\\Corporate\\lsass.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\chainproviderBrowsersvc\\Idle.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\fontdrvhost.exe\", \"C:\\Windows\\Help\\Corporate\\lsass.exe\", \"C:\\Users\\Public\\AccountPictures\\RuntimeBroker.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\chainproviderBrowsersvc\\Idle.exe\", \"C:\\Users\\Default User\\dllhost.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\chainproviderBrowsersvc\\Idle.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\services.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\chainproviderBrowsersvc\\Idle.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Idle.exe\"" surrogateweb.exe -
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2904 3216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 3216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3340 3216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1108 3216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1288 3216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3496 3216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1240 3216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3140 3216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1508 3216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3600 3216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4412 3216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 396 3216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1560 3216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3892 3216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 3216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1188 3216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3168 3216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5032 3216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1936 3216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3364 3216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3088 3216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4048 3216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3768 3216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 3216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 3216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4524 3216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3192 3216 schtasks.exe -
Processes:
resource yara_rule C:\chainproviderBrowsersvc\surrogateweb.exe dcrat behavioral1/memory/124-13-0x0000000000FB0000-0x00000000010E2000-memory.dmp dcrat -
Executes dropped EXE 3 IoCs
Processes:
surrogateweb.exesurrogateweb.exedllhost.exepid process 124 surrogateweb.exe 1480 surrogateweb.exe 4544 dllhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 18 IoCs
Processes:
surrogateweb.exesurrogateweb.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Default User\\dllhost.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\Help\\Corporate\\lsass.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Public\\AccountPictures\\RuntimeBroker.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\chainproviderBrowsersvc\\Idle.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Default User\\dllhost.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\services.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Windows Sidebar\\Idle.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000\Software\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\fontdrvhost.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Public\\AccountPictures\\RuntimeBroker.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\fontdrvhost.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\Help\\Corporate\\lsass.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\chainproviderBrowsersvc\\Idle.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\services.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Windows Sidebar\\Idle.exe\"" surrogateweb.exe -
Drops file in Program Files directory 8 IoCs
Processes:
surrogateweb.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\5b884080fd4f94 surrogateweb.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_2021.2012.10.0_neutral_~_8wekyb3d8bbwe\spoolsv.exe surrogateweb.exe File created C:\Program Files\Reference Assemblies\Microsoft\services.exe surrogateweb.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\services.exe surrogateweb.exe File created C:\Program Files\Reference Assemblies\Microsoft\c5b4cb5e9653cc surrogateweb.exe File created C:\Program Files (x86)\Windows Sidebar\Idle.exe surrogateweb.exe File created C:\Program Files (x86)\Windows Sidebar\6ccacd8608530f surrogateweb.exe File created C:\Program Files (x86)\Microsoft\Edge\fontdrvhost.exe surrogateweb.exe -
Drops file in Windows directory 2 IoCs
Processes:
surrogateweb.exedescription ioc process File created C:\Windows\Help\Corporate\lsass.exe surrogateweb.exe File created C:\Windows\Help\Corporate\6203df4a6bafc7 surrogateweb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
SandeLLoCHECKER_Installer (2).exesurrogateweb.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings SandeLLoCHECKER_Installer (2).exe Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings surrogateweb.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 396 schtasks.exe 2904 schtasks.exe 1288 schtasks.exe 3892 schtasks.exe 3168 schtasks.exe 2440 schtasks.exe 3768 schtasks.exe 2520 schtasks.exe 1796 schtasks.exe 3340 schtasks.exe 3496 schtasks.exe 3140 schtasks.exe 1508 schtasks.exe 5032 schtasks.exe 1108 schtasks.exe 1240 schtasks.exe 1188 schtasks.exe 1936 schtasks.exe 3364 schtasks.exe 3192 schtasks.exe 3088 schtasks.exe 4048 schtasks.exe 3600 schtasks.exe 4412 schtasks.exe 1560 schtasks.exe 2984 schtasks.exe 4524 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
surrogateweb.exesurrogateweb.exedllhost.exepid process 124 surrogateweb.exe 124 surrogateweb.exe 124 surrogateweb.exe 1480 surrogateweb.exe 1480 surrogateweb.exe 1480 surrogateweb.exe 4544 dllhost.exe 4544 dllhost.exe 4544 dllhost.exe 4544 dllhost.exe 4544 dllhost.exe 4544 dllhost.exe 4544 dllhost.exe 4544 dllhost.exe 4544 dllhost.exe 4544 dllhost.exe 4544 dllhost.exe 4544 dllhost.exe 4544 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dllhost.exepid process 4544 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
surrogateweb.exesurrogateweb.exedllhost.exedescription pid process Token: SeDebugPrivilege 124 surrogateweb.exe Token: SeDebugPrivilege 1480 surrogateweb.exe Token: SeDebugPrivilege 4544 dllhost.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
SandeLLoCHECKER_Installer (2).exeWScript.execmd.exesurrogateweb.execmd.exesurrogateweb.exedescription pid process target process PID 1340 wrote to memory of 1968 1340 SandeLLoCHECKER_Installer (2).exe WScript.exe PID 1340 wrote to memory of 1968 1340 SandeLLoCHECKER_Installer (2).exe WScript.exe PID 1340 wrote to memory of 1968 1340 SandeLLoCHECKER_Installer (2).exe WScript.exe PID 1968 wrote to memory of 1256 1968 WScript.exe cmd.exe PID 1968 wrote to memory of 1256 1968 WScript.exe cmd.exe PID 1968 wrote to memory of 1256 1968 WScript.exe cmd.exe PID 1256 wrote to memory of 124 1256 cmd.exe surrogateweb.exe PID 1256 wrote to memory of 124 1256 cmd.exe surrogateweb.exe PID 124 wrote to memory of 1752 124 surrogateweb.exe cmd.exe PID 124 wrote to memory of 1752 124 surrogateweb.exe cmd.exe PID 1752 wrote to memory of 2616 1752 cmd.exe w32tm.exe PID 1752 wrote to memory of 2616 1752 cmd.exe w32tm.exe PID 1752 wrote to memory of 1480 1752 cmd.exe surrogateweb.exe PID 1752 wrote to memory of 1480 1752 cmd.exe surrogateweb.exe PID 1480 wrote to memory of 4544 1480 surrogateweb.exe dllhost.exe PID 1480 wrote to memory of 4544 1480 surrogateweb.exe dllhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SandeLLoCHECKER_Installer (2).exe"C:\Users\Admin\AppData\Local\Temp\SandeLLoCHECKER_Installer (2).exe"1⤵
- DcRat
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\chainproviderBrowsersvc\1byCZNucUjtCyYTxjpkyduFHkoB.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\chainproviderBrowsersvc\1L1To0L.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\chainproviderBrowsersvc\surrogateweb.exe"C:\chainproviderBrowsersvc\surrogateweb.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:124 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TnEi4NPhyI.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2616
-
C:\chainproviderBrowsersvc\surrogateweb.exe"C:\chainproviderBrowsersvc\surrogateweb.exe"6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Recovery\WindowsRE\dllhost.exe"C:\Recovery\WindowsRE\dllhost.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\chainproviderBrowsersvc\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\chainproviderBrowsersvc\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\chainproviderBrowsersvc\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\Edge\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft\Edge\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\Help\Corporate\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Help\Corporate\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\Help\Corporate\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Public\AccountPictures\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Public\AccountPictures\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3192
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
674B
MD57aec6e6e19a6fb0644eb1a61a0f4c93c
SHA141c959960392b230f6847103c37ac2f036eeb19c
SHA256140deb36dc3a8992d06dec12aa957f4ee3be2dbd58e527c584c10dad622d9127
SHA5120ad2305c523f73544481af87521b6f396bb1d86b5d7d0ef3665ce701a75290edc275e88b556db3dd289091884cb5777056ff2f24bc66db8e2e8c618314984ad2
-
Filesize
1KB
MD54a154b138b22d8614bea6d4aa8bffecf
SHA1e234d740d83d68c2233e8bf3ffd65406d5ca9563
SHA2560c84f439b774b18f2f98ff2bd65b31a7540a064ec20aed0b5cd5fdd7546d56f6
SHA512c3f7dabc72ddc377d50843b5e3a2bdc1600cee7d5dcdc52b7db9c675fbc5cb510be01ffe911462fd4e5af95737108ae1b19d006c00be5217f489c3772b7a68ec
-
Filesize
208B
MD5e6599965e278cd8488e0676d831f846c
SHA1c24b006b68d5ad3c4ca79695ae8be988bef90875
SHA25634e95b40e612405e1c445878b8e783a277beba77c2582029e3f2f01f5ef44cae
SHA5120dcf1eefc2e2d5e416eb831e8fd49667012c5db56ef690a05bf4f6967e228ed4ce1bf761278c2db120358b82ab82d363517396cd0dbf05414a8e45f7ec6a055b
-
Filesize
45B
MD53c8ed674ffedfe6b8d0c064cab60006d
SHA17080e2cf3d63412726841df13a193e1e56576d7f
SHA2560a743db445078b3285505edde00ff06568dc9276d50450cb23e93dc2d13ff1fc
SHA51226678921909b08733f2bf1e921109775b5b4d45b3be2fa7169b3a413ebe78853023a4927f2f26fc63b78a6d6dc21ed603edce39ee8cb7a703bd247a8d6aad7da
-
Filesize
207B
MD5899f8aaacb8d91de21a507edf16520e2
SHA12e81832c3da7c117b96e87a3891ca41aba7b819d
SHA2563a8e29e95179d9794c2e3367cb170717682087650ee33b70905c4deb7fbab762
SHA5127d19a730e8dcc78e265b19fb9c901ccd8456bbaf6d8702c25377f86fe8427c82a918b1a96a50b83ddc6363a169739106bc2e4218097d31cad8e0c0a139bf9f3e
-
Filesize
1.2MB
MD5263dca09ac216848fa0ce9aea1f1aa04
SHA1da162b0daf02ee8cf89a011f4a2876efb4694552
SHA2562bb6c2c2394ec60767a70db1d9098af76e1142de9e9ad9e94c52207c121088a8
SHA5123d7fd55d1dd95d998b14985aa9bdc6e3d152b6f9e7b52153bdedddd21514805fb3dd339cf6e712a428c329744c263cb945037c82f19c111d6ddbdc7e8d96359d