dcrat | ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-10-2024 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
Size

825KB
MD5

ce09db6adeeca051ff01abd8cf2e400d
SHA1

14e60e202c180152757a89d13d9989ec35e1f5a2
SHA256

ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16
SHA512

e80449cde93d19790e64c1fe24af1aeb00a3c392b4d57a529205a2339bbaa675b6ee21d2d068d65ef21c37d23d2f1b8b458706068ffe850410dc290c4d5c0ce3
SSDEEP

12288:jVTnKIxG7yLfHB7cymJJMA+bpW3Ari4VVyZC0+1cw2jINofMVbZZ6:jVTney9cyQJMA+b3iE0nHA6

Score

10^/10

dcrat infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\csrss.exe\""	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\csrss.exe\", \"C:\\Windows\\fr-FR\\lsm.exe\""	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\csrss.exe\", \"C:\\Windows\\fr-FR\\lsm.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\dllhost.exe\""	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\csrss.exe\", \"C:\\Windows\\fr-FR\\lsm.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\csrss.exe\""	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\csrss.exe\", \"C:\\Windows\\fr-FR\\lsm.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\services.exe\""	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\csrss.exe\", \"C:\\Windows\\fr-FR\\lsm.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\services.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe\""	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2752	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2752	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2752	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2752	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2752	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2752	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2752	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	2752	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2752	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2752	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2752	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2752	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2752	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2752	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	2752	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2752	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2752	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2752	schtasks.exe	31

DCRat payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/528-1-0x0000000000BA0000-0x0000000000C74000-memory.dmp	family_dcrat_v2
behavioral1/files/0x00050000000191d2-24.dat	family_dcrat_v2
behavioral1/memory/408-48-0x0000000000090000-0x0000000000164000-memory.dmp	family_dcrat_v2

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\services.exe\""	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\services.exe\""	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe\""	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe\""	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\dllhost.exe\""	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\csrss.exe\""	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\csrss.exe\""	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\fr-FR\\lsm.exe\""	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\dllhost.exe\""	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\csrss.exe\""	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\csrss.exe\""	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\fr-FR\\lsm.exe\""	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	Process
File created	\??\c:\Windows\System32\CSC505B57A69B6E47B4B5281145CA6CA8A.TMP	csc.exe
File created	\??\c:\Windows\System32\1woi1z.exe	csc.exe

Drops file in Program Files directory 2 IoCs

Processes:

ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\dllhost.exe	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\5940a34987c991	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe

Drops file in Windows directory 2 IoCs

Processes:

ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe

description	ioc	Process
File created	C:\Windows\fr-FR\lsm.exe	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
File created	C:\Windows\fr-FR\101b941d020240	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2236	schtasks.exe
2996	schtasks.exe
2856	schtasks.exe
1612	schtasks.exe
2980	schtasks.exe
2608	schtasks.exe
1380	schtasks.exe
2440	schtasks.exe
2272	schtasks.exe
2640	schtasks.exe
2588	schtasks.exe
1488	schtasks.exe
1928	schtasks.exe
2964	schtasks.exe
396	schtasks.exe
2576	schtasks.exe
2828	schtasks.exe
2624	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe

pid	Process
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe

pid	Process
408	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exead372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe

description	pid	Process
Token: SeDebugPrivilege	528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
Token: SeDebugPrivilege	408	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.execsc.execmd.exe

description	pid	Process	procid_target
PID 528 wrote to memory of 2808	528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe	35
PID 528 wrote to memory of 2808	528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe	35
PID 528 wrote to memory of 2808	528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe	35
PID 2808 wrote to memory of 2592	2808	csc.exe	37
PID 2808 wrote to memory of 2592	2808	csc.exe	37
PID 2808 wrote to memory of 2592	2808	csc.exe	37
PID 528 wrote to memory of 2120	528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe	53
PID 528 wrote to memory of 2120	528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe	53
PID 528 wrote to memory of 2120	528	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe	53
PID 2120 wrote to memory of 2156	2120	cmd.exe	55
PID 2120 wrote to memory of 2156	2120	cmd.exe	55
PID 2120 wrote to memory of 2156	2120	cmd.exe	55
PID 2120 wrote to memory of 2148	2120	cmd.exe	56
PID 2120 wrote to memory of 2148	2120	cmd.exe	56
PID 2120 wrote to memory of 2148	2120	cmd.exe	56
PID 2120 wrote to memory of 408	2120	cmd.exe	57
PID 2120 wrote to memory of 408	2120	cmd.exe	57
PID 2120 wrote to memory of 408	2120	cmd.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
"C:\Users\Admin\AppData\Local\Temp\ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sl5hatrf\sl5hatrf.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF306.tmp" "c:\Windows\System32\CSC505B57A69B6E47B4B5281145CA6CA8A.TMP"
    3⤵
    PID:2592
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cwWQ5zcHgl.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2156
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2148
- - C:\Users\Admin\AppData\Local\Temp\ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
    "C:\Users\Admin\AppData\Local\Temp\ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Windows\fr-FR\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\fr-FR\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\fr-FR\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16a" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16a" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe

Filesize
825KB

MD5
ce09db6adeeca051ff01abd8cf2e400d

SHA1
14e60e202c180152757a89d13d9989ec35e1f5a2

SHA256
ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16

SHA512
e80449cde93d19790e64c1fe24af1aeb00a3c392b4d57a529205a2339bbaa675b6ee21d2d068d65ef21c37d23d2f1b8b458706068ffe850410dc290c4d5c0ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF306.tmp

Filesize
1KB

MD5
c5a2cbfe3ae210397d91431e26b73541

SHA1
bdf3832da625ffffa382c99e5a4d7b2dc6b1430a

SHA256
ca2b24d8b666e38d467a7fd41304d5b9952a6250953d99bfc381a136c0f4b2c9

SHA512
70ec0e1381016f24d82b1248ee9df682899f30a3fc171d6b475cf0804bbca2d70b0cffeec58d647b0aebfbaffbe0b7bc82ee3f0c1e1c795b94225885fee497f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwWQ5zcHgl.bat

Filesize
278B

MD5
ad9e70d9edbc132edb4c16ee0e03e88e

SHA1
f9f6994fd3164af482d906fbfe74484fecebc506

SHA256
4f09c5272b61cf477f8cbbbb9e055be25baa27b16e883766f13bf49640701d4c

SHA512
18e9a3f51173b58d9df54217daa12a67beb7718490082117545749836029aec8b42349d958cb5f563906d6651bcb364a04b76c5784f5eee32080db502ad18884

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sl5hatrf\sl5hatrf.0.cs

Filesize
390B

MD5
fa19790eb438cc6d65f190ff756e75bd

SHA1
bcfb1a72d688f3300ab9ea69f00a581bccbd1c98

SHA256
2b07655d185fa4b3fa2d835bd18d29380461a5a2dd0db0462ffef8e7d44b0d0e

SHA512
3455e55afb7c2b8e2739622fca6fb7ecffc5c84f74dd866233f1f745a1f49d25d2aac16acc24f745239990db98eede6f3304235dfacbafc488359a3ec57428fe

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sl5hatrf\sl5hatrf.cmdline

Filesize
235B

MD5
efbd87654294a600c1f174926ac232bc

SHA1
80874a2968d1a4457b7218bdcaa1ae5098de3b70

SHA256
4ea055c3594a25ef6dd84c506f1dfad50aaa3e646c2a5e144edd98f815c2b2db

SHA512
cddbd8fcb7d8ff82588fb96b618c493252dec0eaeee46d527cccb08ae89bd50ba94f6a28b797046e55b0d7b7c8c69307b49245dba3cff57b75de5b56f1e5dc49

Download Submit
\??\c:\Windows\System32\CSC505B57A69B6E47B4B5281145CA6CA8A.TMP

Filesize
1KB

MD5
dcd286f3a69cfd0292a8edbc946f8553

SHA1
4d347ac1e8c1d75fc139878f5646d3a0b083ef17

SHA256
29e03364271673f4b388131b7773d016df859bb0b1c5e6c3ad6914a632600596

SHA512
4b9546033bd4957263854fbb0a87aa1d57ce3afbce7bf03b12b05b78f97c5a27c52c1d73e34b6a5ba2c395e26ec9c474a32609441b99cf78ea707113fca96f77

Download Submit
memory/408-48-0x0000000000090000-0x0000000000164000-memory.dmp

Filesize
848KB

Download
memory/528-14-0x000007FEF5870000-0x000007FEF625C000-memory.dmp

Filesize
9.9MB

Download
memory/528-29-0x000007FEF5870000-0x000007FEF625C000-memory.dmp

Filesize
9.9MB

Download
memory/528-7-0x000007FEF5870000-0x000007FEF625C000-memory.dmp

Filesize
9.9MB

Download
memory/528-6-0x00000000005C0000-0x00000000005DC000-memory.dmp

Filesize
112KB

Download
memory/528-26-0x000007FEF5870000-0x000007FEF625C000-memory.dmp

Filesize
9.9MB

Download
memory/528-27-0x000007FEF5870000-0x000007FEF625C000-memory.dmp

Filesize
9.9MB

Download
memory/528-28-0x000007FEF5870000-0x000007FEF625C000-memory.dmp

Filesize
9.9MB

Download
memory/528-13-0x0000000000420000-0x000000000042E000-memory.dmp

Filesize
56KB

Download
memory/528-0-0x000007FEF5873000-0x000007FEF5874000-memory.dmp

Filesize
4KB

Download
memory/528-4-0x00000000003D0000-0x00000000003DE000-memory.dmp

Filesize
56KB

Download
memory/528-11-0x0000000000410000-0x000000000041E000-memory.dmp

Filesize
56KB

Download
memory/528-2-0x000007FEF5870000-0x000007FEF625C000-memory.dmp

Filesize
9.9MB

Download
memory/528-1-0x0000000000BA0000-0x0000000000C74000-memory.dmp

Filesize
848KB

Download
memory/528-47-0x000007FEF5870000-0x000007FEF625C000-memory.dmp

Filesize
9.9MB

Download
memory/528-9-0x00000000021F0000-0x0000000002208000-memory.dmp

Filesize
96KB

Download