Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
20-07-2024 21:31
Behavioral task
behavioral1
Sample
AC9E1C7DECB45FA41C77E30543BC535E.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
AC9E1C7DECB45FA41C77E30543BC535E.exe
Resource
win10v2004-20240709-en
General
-
Target
AC9E1C7DECB45FA41C77E30543BC535E.exe
-
Size
827KB
-
MD5
ac9e1c7decb45fa41c77e30543bc535e
-
SHA1
b89c25859b9b195d8768868be6d4b029bd395d1f
-
SHA256
fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682
-
SHA512
32ad2b8385fbb5206be47bd55f8a3af55ce6fd84c48771fec8b7fc39862fb9133aaf99de5672a548454c17fd05a03a0f3c1813df65b65fdae73ca7881393c417
-
SSDEEP
12288:aRX/Vbdw0amUjO3t/6jf0eEHP2a1KP/CpvwfpKdXRJNJa:kXVamd96jf0/2apvwxKdXRJNJa
Malware Config
Signatures
-
DcRat 38 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeAC9E1C7DECB45FA41C77E30543BC535E.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 988 schtasks.exe 3048 schtasks.exe 2716 schtasks.exe 2728 schtasks.exe 1964 schtasks.exe 2168 schtasks.exe File created C:\Windows\Resources\Ease of Access Themes\wininit.exe AC9E1C7DECB45FA41C77E30543BC535E.exe 2676 schtasks.exe 2820 schtasks.exe 2600 schtasks.exe 3024 schtasks.exe 1912 schtasks.exe 1520 schtasks.exe 700 schtasks.exe File created C:\Windows\Resources\Ease of Access Themes\56085415360792 AC9E1C7DECB45FA41C77E30543BC535E.exe 2352 schtasks.exe 2744 schtasks.exe 356 schtasks.exe 1768 schtasks.exe 2864 schtasks.exe 2764 schtasks.exe 2392 schtasks.exe 2584 schtasks.exe 2560 schtasks.exe 1748 schtasks.exe 2424 schtasks.exe 1148 schtasks.exe 2668 schtasks.exe 3012 schtasks.exe 2852 schtasks.exe 1312 schtasks.exe 2792 schtasks.exe 2252 schtasks.exe 1032 schtasks.exe 1812 schtasks.exe 2592 schtasks.exe 2896 schtasks.exe 2364 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 12 IoCs
Processes:
AC9E1C7DECB45FA41C77E30543BC535E.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Resources\\Ease of Access Themes\\wininit.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\taskhost.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\lsass.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\WMIADAP.exe\", \"C:\\MSOCache\\All Users\\Idle.exe\", \"C:\\Windows\\Branding\\ShellBrd\\wininit.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Resources\\Ease of Access Themes\\wininit.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\taskhost.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\lsass.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\WMIADAP.exe\", \"C:\\MSOCache\\All Users\\Idle.exe\", \"C:\\Windows\\Branding\\ShellBrd\\wininit.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\csrss.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\WMIADAP.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Resources\\Ease of Access Themes\\wininit.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\taskhost.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\lsass.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\WMIADAP.exe\", \"C:\\MSOCache\\All Users\\Idle.exe\", \"C:\\Windows\\Branding\\ShellBrd\\wininit.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\csrss.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\WMIADAP.exe\", \"C:\\Windows\\Web\\OSPPSVC.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Resources\\Ease of Access Themes\\wininit.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\taskhost.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\lsass.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\WMIADAP.exe\", \"C:\\MSOCache\\All Users\\Idle.exe\", \"C:\\Windows\\Branding\\ShellBrd\\wininit.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\csrss.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\WMIADAP.exe\", \"C:\\Windows\\Web\\OSPPSVC.exe\", \"C:\\Windows\\IME\\it-IT\\audiodg.exe\", \"C:\\Users\\Default\\dllhost.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Resources\\Ease of Access Themes\\wininit.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Resources\\Ease of Access Themes\\wininit.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\taskhost.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Resources\\Ease of Access Themes\\wininit.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\taskhost.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\lsass.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Resources\\Ease of Access Themes\\wininit.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\taskhost.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\lsass.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\WMIADAP.exe\", \"C:\\MSOCache\\All Users\\Idle.exe\", \"C:\\Windows\\Branding\\ShellBrd\\wininit.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\csrss.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\WMIADAP.exe\", \"C:\\Windows\\Web\\OSPPSVC.exe\", \"C:\\Windows\\IME\\it-IT\\audiodg.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Resources\\Ease of Access Themes\\wininit.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\taskhost.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\lsass.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\WMIADAP.exe\", \"C:\\MSOCache\\All Users\\Idle.exe\", \"C:\\Windows\\Branding\\ShellBrd\\wininit.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\csrss.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\WMIADAP.exe\", \"C:\\Windows\\Web\\OSPPSVC.exe\", \"C:\\Windows\\IME\\it-IT\\audiodg.exe\", \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\services.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Resources\\Ease of Access Themes\\wininit.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\taskhost.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\lsass.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\WMIADAP.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Resources\\Ease of Access Themes\\wininit.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\taskhost.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\lsass.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\WMIADAP.exe\", \"C:\\MSOCache\\All Users\\Idle.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Resources\\Ease of Access Themes\\wininit.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\taskhost.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\lsass.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\WMIADAP.exe\", \"C:\\MSOCache\\All Users\\Idle.exe\", \"C:\\Windows\\Branding\\ShellBrd\\wininit.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\csrss.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe -
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 2052 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 2052 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2668 2052 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 2052 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 2052 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 2052 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 2052 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2592 2052 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 2052 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 2052 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 2052 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 2052 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 2052 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 988 2052 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 2052 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 2052 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2052 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 2052 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 2052 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 2052 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1520 2052 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1748 2052 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 2052 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 700 2052 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1312 2052 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 356 2052 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1768 2052 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 2052 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 2052 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2168 2052 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2352 2052 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 2052 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1032 2052 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1148 2052 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1812 2052 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3012 2052 schtasks.exe -
Processes:
resource yara_rule behavioral1/memory/852-1-0x0000000000840000-0x0000000000916000-memory.dmp dcrat C:\MSOCache\All Users\Idle.exe dcrat behavioral1/memory/1704-35-0x00000000003D0000-0x00000000004A6000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
Processes:
WMIADAP.exepid process 1704 WMIADAP.exe -
Adds Run key to start application 2 TTPs 24 IoCs
Processes:
AC9E1C7DECB45FA41C77E30543BC535E.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\MSOCache\\All Users\\Idle.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\WMIADAP.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\WMIADAP.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\IME\\it-IT\\audiodg.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\Resources\\Ease of Access Themes\\wininit.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\taskhost.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Program Files\\Windows Journal\\fr-FR\\WMIADAP.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\lsass.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\Branding\\ShellBrd\\wininit.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\IME\\it-IT\\audiodg.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\csrss.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\csrss.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Windows\\Web\\OSPPSVC.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Windows\\Web\\OSPPSVC.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\taskhost.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\lsass.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\MSOCache\\All Users\\Idle.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Default\\dllhost.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Default\\dllhost.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\services.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\services.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\Resources\\Ease of Access Themes\\wininit.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Program Files\\Windows Journal\\fr-FR\\WMIADAP.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\Branding\\ShellBrd\\wininit.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe -
Drops file in Program Files directory 2 IoCs
Processes:
AC9E1C7DECB45FA41C77E30543BC535E.exedescription ioc process File created C:\Program Files\Windows Journal\fr-FR\WMIADAP.exe AC9E1C7DECB45FA41C77E30543BC535E.exe File created C:\Program Files\Windows Journal\fr-FR\75a57c1bdf437c AC9E1C7DECB45FA41C77E30543BC535E.exe -
Drops file in Windows directory 9 IoCs
Processes:
AC9E1C7DECB45FA41C77E30543BC535E.exedescription ioc process File created C:\Windows\Resources\Ease of Access Themes\wininit.exe AC9E1C7DECB45FA41C77E30543BC535E.exe File created C:\Windows\Web\1610b97d3ab4a7 AC9E1C7DECB45FA41C77E30543BC535E.exe File created C:\Windows\IME\it-IT\42af1c969fbb7b AC9E1C7DECB45FA41C77E30543BC535E.exe File opened for modification C:\Windows\Resources\Ease of Access Themes\wininit.exe AC9E1C7DECB45FA41C77E30543BC535E.exe File created C:\Windows\Resources\Ease of Access Themes\56085415360792 AC9E1C7DECB45FA41C77E30543BC535E.exe File created C:\Windows\Branding\ShellBrd\wininit.exe AC9E1C7DECB45FA41C77E30543BC535E.exe File created C:\Windows\Branding\ShellBrd\56085415360792 AC9E1C7DECB45FA41C77E30543BC535E.exe File created C:\Windows\Web\OSPPSVC.exe AC9E1C7DECB45FA41C77E30543BC535E.exe File created C:\Windows\IME\it-IT\audiodg.exe AC9E1C7DECB45FA41C77E30543BC535E.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2668 schtasks.exe 2584 schtasks.exe 2560 schtasks.exe 1768 schtasks.exe 1032 schtasks.exe 2392 schtasks.exe 2716 schtasks.exe 2592 schtasks.exe 3024 schtasks.exe 2792 schtasks.exe 1312 schtasks.exe 2764 schtasks.exe 2676 schtasks.exe 2728 schtasks.exe 2600 schtasks.exe 2168 schtasks.exe 1148 schtasks.exe 3012 schtasks.exe 988 schtasks.exe 2864 schtasks.exe 2364 schtasks.exe 2352 schtasks.exe 2252 schtasks.exe 1748 schtasks.exe 2852 schtasks.exe 2424 schtasks.exe 2820 schtasks.exe 1520 schtasks.exe 700 schtasks.exe 356 schtasks.exe 1812 schtasks.exe 1964 schtasks.exe 1912 schtasks.exe 2744 schtasks.exe 2896 schtasks.exe 3048 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
AC9E1C7DECB45FA41C77E30543BC535E.exeWMIADAP.exepid process 852 AC9E1C7DECB45FA41C77E30543BC535E.exe 1704 WMIADAP.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AC9E1C7DECB45FA41C77E30543BC535E.exeWMIADAP.exedescription pid process Token: SeDebugPrivilege 852 AC9E1C7DECB45FA41C77E30543BC535E.exe Token: SeDebugPrivilege 1704 WMIADAP.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
AC9E1C7DECB45FA41C77E30543BC535E.execmd.exedescription pid process target process PID 852 wrote to memory of 956 852 AC9E1C7DECB45FA41C77E30543BC535E.exe cmd.exe PID 852 wrote to memory of 956 852 AC9E1C7DECB45FA41C77E30543BC535E.exe cmd.exe PID 852 wrote to memory of 956 852 AC9E1C7DECB45FA41C77E30543BC535E.exe cmd.exe PID 956 wrote to memory of 1684 956 cmd.exe w32tm.exe PID 956 wrote to memory of 1684 956 cmd.exe w32tm.exe PID 956 wrote to memory of 1684 956 cmd.exe w32tm.exe PID 956 wrote to memory of 1704 956 cmd.exe WMIADAP.exe PID 956 wrote to memory of 1704 956 cmd.exe WMIADAP.exe PID 956 wrote to memory of 1704 956 cmd.exe WMIADAP.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\AC9E1C7DECB45FA41C77E30543BC535E.exe"C:\Users\Admin\AppData\Local\Temp\AC9E1C7DECB45FA41C77E30543BC535E.exe"1⤵
- DcRat
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\THXtcpqvfm.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:1684
-
C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\WMIADAP.exe"C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\WMIADAP.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\Resources\Ease of Access Themes\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\Resources\Ease of Access Themes\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\taskhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\fr-FR\WMIADAP.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\fr-FR\WMIADAP.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\fr-FR\WMIADAP.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\Branding\ShellBrd\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Branding\ShellBrd\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\Branding\ShellBrd\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\WMIADAP.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\WMIADAP.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\WMIADAP.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Windows\Web\OSPPSVC.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Web\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Windows\Web\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Windows\IME\it-IT\audiodg.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\IME\it-IT\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Windows\IME\it-IT\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Default\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
827KB
MD5ac9e1c7decb45fa41c77e30543bc535e
SHA1b89c25859b9b195d8768868be6d4b029bd395d1f
SHA256fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682
SHA51232ad2b8385fbb5206be47bd55f8a3af55ce6fd84c48771fec8b7fc39862fb9133aaf99de5672a548454c17fd05a03a0f3c1813df65b65fdae73ca7881393c417
-
Filesize
225B
MD5bb601b5f3ee05f108f64bbfe2f01afc1
SHA13efc2b3d06f2dfd53e1db3694f2ad66615f3233b
SHA256f5b4e3939597eefb2c172d46b2d25fdf871b073fb4964a2155cdacb9407d74a1
SHA5122484765138ef0994c422d48a376cfef497d21a586de183aabbf8e0bfaed9858680007351402feb62819b08fac5c520c806c45226f2f3bd718a4f175b3d3f1e2c