Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
21-07-2024 08:15
Behavioral task
behavioral1
Sample
5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe
Resource
win10v2004-20240709-en
General
-
Target
5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe
-
Size
2.0MB
-
MD5
6e4e01af6b88116f0c7331bba5e7b782
-
SHA1
756c0a5ea8aac86f41d118166452a011a608043c
-
SHA256
5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147
-
SHA512
f49b6146f313624606a9eb80287c23c68aaefcf7ffafacba83a87b333b4388dd38a423a179b7bcb0e1d555873681b405c781faf68e2d7169fa7bcefe4a73874b
-
SSDEEP
24576:jYe7C5QSBzoU/n15NuQtG+7IwzwT2wLqq12OBOa2WYO3QFSBztYSqEEU5oZUSzTO:jYemPM0tvmwGBF223ZztBqEqx9v
Malware Config
Signatures
-
DcRat 35 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2692 schtasks.exe 1232 schtasks.exe 640 schtasks.exe 1996 schtasks.exe 2932 schtasks.exe File created C:\Program Files\Windows Sidebar\ja-JP\69ddcba757bf72 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 2832 schtasks.exe 2668 schtasks.exe 2432 schtasks.exe 2868 schtasks.exe 2808 schtasks.exe 2816 schtasks.exe 1616 schtasks.exe 1920 schtasks.exe 2912 schtasks.exe 1764 schtasks.exe 2812 schtasks.exe 2660 schtasks.exe 1988 schtasks.exe 2936 schtasks.exe 2516 schtasks.exe 1940 schtasks.exe 1456 schtasks.exe 2976 schtasks.exe 3060 schtasks.exe 324 schtasks.exe 776 schtasks.exe 2452 schtasks.exe 784 schtasks.exe 2620 schtasks.exe 2172 schtasks.exe 2136 schtasks.exe File created C:\Program Files\Windows Sidebar\ja-JP\smss.exe 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 2996 schtasks.exe 2688 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 11 IoCs
Processes:
5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\ja-JP\\smss.exe\", \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\spoolsv.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\ja-JP\\smss.exe\", \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\lsm.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\ja-JP\\smss.exe\", \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\winlogon.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\ja-JP\\smss.exe\", \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files\\Windows Photo Viewer\\de-DE\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsm.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\ja-JP\\smss.exe\", \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files\\Windows Photo Viewer\\de-DE\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\MSOCache\\All Users\\Idle.exe\", \"C:\\Users\\Admin\\Saved Games\\dwm.exe\", \"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\Idle.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\ja-JP\\smss.exe\", \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files\\Windows Photo Viewer\\de-DE\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\MSOCache\\All Users\\Idle.exe\", \"C:\\Users\\Admin\\Saved Games\\dwm.exe\", \"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\Idle.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\ja-JP\\Idle.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\ja-JP\\smss.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\ja-JP\\smss.exe\", \"C:\\Users\\Default User\\sppsvc.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\ja-JP\\smss.exe\", \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files\\Windows Photo Viewer\\de-DE\\sppsvc.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\ja-JP\\smss.exe\", \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files\\Windows Photo Viewer\\de-DE\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\MSOCache\\All Users\\Idle.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\ja-JP\\smss.exe\", \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files\\Windows Photo Viewer\\de-DE\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\MSOCache\\All Users\\Idle.exe\", \"C:\\Users\\Admin\\Saved Games\\dwm.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe -
Process spawned unexpected child process 33 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2812 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2808 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2668 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3060 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2172 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 324 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1988 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1232 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2936 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2516 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 640 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1996 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2136 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1920 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 776 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1940 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2452 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 784 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2912 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1456 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1764 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 2480 schtasks.exe -
Processes:
resource yara_rule behavioral1/memory/2392-1-0x0000000000120000-0x000000000032E000-memory.dmp dcrat C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\winlogon.exe dcrat behavioral1/memory/1484-39-0x0000000000BB0000-0x0000000000DBE000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
Processes:
sppsvc.exepid process 1484 sppsvc.exe -
Adds Run key to start application 2 TTPs 22 IoCs
Processes:
5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Sidebar\\ja-JP\\smss.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default User\\sppsvc.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\winlogon.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\winlogon.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsm.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\Idle.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\Idle.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Windows NT\\Accessories\\ja-JP\\Idle.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Windows NT\\Accessories\\ja-JP\\Idle.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Sidebar\\ja-JP\\smss.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\spoolsv.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\lsm.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Photo Viewer\\de-DE\\sppsvc.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\MSOCache\\All Users\\Idle.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Admin\\Saved Games\\dwm.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\spoolsv.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\lsm.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Photo Viewer\\de-DE\\sppsvc.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsm.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\MSOCache\\All Users\\Idle.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Admin\\Saved Games\\dwm.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default User\\sppsvc.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Drops file in Program Files directory 7 IoCs
Processes:
5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exedescription ioc process File created C:\Program Files\Windows Sidebar\ja-JP\smss.exe 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe File opened for modification C:\Program Files\Windows Sidebar\ja-JP\smss.exe 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe File created C:\Program Files\Windows Sidebar\ja-JP\69ddcba757bf72 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe File created C:\Program Files\Windows Photo Viewer\de-DE\sppsvc.exe 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe File created C:\Program Files\Windows Photo Viewer\de-DE\0a1fd5f707cd16 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe File created C:\Program Files\Windows NT\Accessories\ja-JP\Idle.exe 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe File created C:\Program Files\Windows NT\Accessories\ja-JP\6ccacd8608530f 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2868 schtasks.exe 2668 schtasks.exe 324 schtasks.exe 2912 schtasks.exe 2660 schtasks.exe 640 schtasks.exe 2688 schtasks.exe 2996 schtasks.exe 2808 schtasks.exe 1940 schtasks.exe 1764 schtasks.exe 2812 schtasks.exe 1232 schtasks.exe 1996 schtasks.exe 784 schtasks.exe 2620 schtasks.exe 2936 schtasks.exe 2932 schtasks.exe 2432 schtasks.exe 1988 schtasks.exe 2516 schtasks.exe 1920 schtasks.exe 2976 schtasks.exe 2136 schtasks.exe 2452 schtasks.exe 1456 schtasks.exe 2172 schtasks.exe 1616 schtasks.exe 776 schtasks.exe 2832 schtasks.exe 2816 schtasks.exe 2692 schtasks.exe 3060 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exesppsvc.exepid process 2392 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 2392 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 2392 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 2392 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 2392 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 2392 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 2392 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 2392 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 1484 sppsvc.exe 1484 sppsvc.exe 1484 sppsvc.exe 1484 sppsvc.exe 1484 sppsvc.exe 1484 sppsvc.exe 1484 sppsvc.exe 1484 sppsvc.exe 1484 sppsvc.exe 1484 sppsvc.exe 1484 sppsvc.exe 1484 sppsvc.exe 1484 sppsvc.exe 1484 sppsvc.exe 1484 sppsvc.exe 1484 sppsvc.exe 1484 sppsvc.exe 1484 sppsvc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exesppsvc.exedescription pid process Token: SeDebugPrivilege 2392 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Token: SeDebugPrivilege 1484 sppsvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exedescription pid process target process PID 2392 wrote to memory of 1484 2392 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe sppsvc.exe PID 2392 wrote to memory of 1484 2392 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe sppsvc.exe PID 2392 wrote to memory of 1484 2392 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe sppsvc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe"C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe"1⤵
- DcRat
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Users\Default User\sppsvc.exe"C:\Users\Default User\sppsvc.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1484
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\ja-JP\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\ja-JP\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\ja-JP\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\lsm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Saved Games\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Saved Games\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD56e4e01af6b88116f0c7331bba5e7b782
SHA1756c0a5ea8aac86f41d118166452a011a608043c
SHA2565a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147
SHA512f49b6146f313624606a9eb80287c23c68aaefcf7ffafacba83a87b333b4388dd38a423a179b7bcb0e1d555873681b405c781faf68e2d7169fa7bcefe4a73874b