Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
21-07-2024 10:23
Behavioral task
behavioral1
Sample
fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe
Resource
win10v2004-20240709-en
General
-
Target
fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe
-
Size
827KB
-
MD5
ac9e1c7decb45fa41c77e30543bc535e
-
SHA1
b89c25859b9b195d8768868be6d4b029bd395d1f
-
SHA256
fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682
-
SHA512
32ad2b8385fbb5206be47bd55f8a3af55ce6fd84c48771fec8b7fc39862fb9133aaf99de5672a548454c17fd05a03a0f3c1813df65b65fdae73ca7881393c417
-
SSDEEP
12288:aRX/Vbdw0amUjO3t/6jf0eEHP2a1KP/CpvwfpKdXRJNJa:kXVamd96jf0/2apvwxKdXRJNJa
Malware Config
Signatures
-
DcRat 29 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exefa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1068 schtasks.exe 2760 schtasks.exe 2584 schtasks.exe 2656 schtasks.exe 2784 schtasks.exe File created C:\Windows\system\6203df4a6bafc7 fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe 2640 schtasks.exe 2548 schtasks.exe 1564 schtasks.exe File created C:\Windows\system\lsass.exe fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe 2024 schtasks.exe 2844 schtasks.exe 1856 schtasks.exe 3048 schtasks.exe 2792 schtasks.exe 2812 schtasks.exe 1868 schtasks.exe 2708 schtasks.exe 2104 schtasks.exe 2588 schtasks.exe 2712 schtasks.exe 2116 schtasks.exe 2704 schtasks.exe 2772 schtasks.exe 2632 schtasks.exe 2456 schtasks.exe 1236 schtasks.exe 2452 schtasks.exe 2892 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 9 IoCs
Processes:
fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\system\\lsass.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\system\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Windows\\de-DE\\csrss.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\system\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Windows\\de-DE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\System.exe\", \"C:\\Program Files\\DVD Maker\\OSPPSVC.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\system\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Windows\\de-DE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\System.exe\", \"C:\\Program Files\\DVD Maker\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\audiodg.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\system\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Windows\\de-DE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\System.exe\", \"C:\\Program Files\\DVD Maker\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\audiodg.exe\", \"C:\\Windows\\TAPI\\fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\system\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Windows\\de-DE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\System.exe\", \"C:\\Program Files\\DVD Maker\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\audiodg.exe\", \"C:\\Windows\\TAPI\\fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe\", \"C:\\Windows\\Help\\Windows\\fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\system\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\taskhost.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\system\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Windows\\de-DE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\System.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\system\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Windows\\de-DE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\System.exe\", \"C:\\Program Files\\DVD Maker\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\smss.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe -
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1068 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2104 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2844 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2712 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2452 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1564 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2784 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2812 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2772 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1856 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1868 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1236 1368 schtasks.exe -
Processes:
resource yara_rule behavioral1/memory/3036-1-0x00000000003B0000-0x0000000000486000-memory.dmp dcrat C:\Program Files\DVD Maker\OSPPSVC.exe dcrat behavioral1/memory/2064-28-0x0000000000F90000-0x0000000001066000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
Processes:
fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exepid process 2064 fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe -
Adds Run key to start application 2 TTPs 18 IoCs
Processes:
fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\system\\lsass.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\taskhost.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\de-DE\\csrss.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\smss.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682 = "\"C:\\Windows\\Help\\Windows\\fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\Public\\Pictures\\Sample Pictures\\audiodg.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\taskhost.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\de-DE\\csrss.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\System.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\DVD Maker\\OSPPSVC.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\Public\\Pictures\\Sample Pictures\\audiodg.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\System.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\smss.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682 = "\"C:\\Windows\\TAPI\\fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682 = "\"C:\\Windows\\Help\\Windows\\fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\system\\lsass.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\DVD Maker\\OSPPSVC.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682 = "\"C:\\Windows\\TAPI\\fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe -
Drops file in Program Files directory 4 IoCs
Processes:
fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exedescription ioc process File created C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\System.exe fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\27d1bcfc3c54e0 fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe File created C:\Program Files\DVD Maker\OSPPSVC.exe fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe File created C:\Program Files\DVD Maker\1610b97d3ab4a7 fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe -
Drops file in Windows directory 9 IoCs
Processes:
fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exedescription ioc process File created C:\Windows\system\lsass.exe fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe File created C:\Windows\Help\Windows\837dac93350532 fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe File opened for modification C:\Windows\system\lsass.exe fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe File created C:\Windows\system\6203df4a6bafc7 fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe File created C:\Windows\de-DE\csrss.exe fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe File created C:\Windows\de-DE\886983d96e3d3e fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe File created C:\Windows\TAPI\fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe File created C:\Windows\TAPI\837dac93350532 fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe File created C:\Windows\Help\Windows\fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1068 schtasks.exe 2024 schtasks.exe 2584 schtasks.exe 1868 schtasks.exe 2104 schtasks.exe 2812 schtasks.exe 2588 schtasks.exe 2844 schtasks.exe 2548 schtasks.exe 2656 schtasks.exe 2772 schtasks.exe 1236 schtasks.exe 2456 schtasks.exe 2712 schtasks.exe 2792 schtasks.exe 2704 schtasks.exe 2632 schtasks.exe 2708 schtasks.exe 2784 schtasks.exe 1564 schtasks.exe 3048 schtasks.exe 2116 schtasks.exe 2760 schtasks.exe 2452 schtasks.exe 2892 schtasks.exe 2640 schtasks.exe 1856 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exefa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exepid process 3036 fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe 2064 fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exefa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exedescription pid process Token: SeDebugPrivilege 3036 fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Token: SeDebugPrivilege 2064 fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exedescription pid process target process PID 3036 wrote to memory of 2064 3036 fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe PID 3036 wrote to memory of 2064 3036 fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe PID 3036 wrote to memory of 2064 3036 fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe"C:\Users\Admin\AppData\Local\Temp\fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe"1⤵
- DcRat
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\TAPI\fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe"C:\Windows\TAPI\fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\system\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\system\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\system\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\de-DE\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\de-DE\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\OSPPSVC.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Pictures\Sample Pictures\audiodg.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Pictures\Sample Pictures\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682f" /sc MINUTE /mo 13 /tr "'C:\Windows\TAPI\fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682" /sc ONLOGON /tr "'C:\Windows\TAPI\fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682f" /sc MINUTE /mo 10 /tr "'C:\Windows\TAPI\fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682f" /sc MINUTE /mo 7 /tr "'C:\Windows\Help\Windows\fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682" /sc ONLOGON /tr "'C:\Windows\Help\Windows\fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682f" /sc MINUTE /mo 5 /tr "'C:\Windows\Help\Windows\fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
827KB
MD5ac9e1c7decb45fa41c77e30543bc535e
SHA1b89c25859b9b195d8768868be6d4b029bd395d1f
SHA256fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682
SHA51232ad2b8385fbb5206be47bd55f8a3af55ce6fd84c48771fec8b7fc39862fb9133aaf99de5672a548454c17fd05a03a0f3c1813df65b65fdae73ca7881393c417