dcrat | ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2024 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
Size

825KB
MD5

ce09db6adeeca051ff01abd8cf2e400d
SHA1

14e60e202c180152757a89d13d9989ec35e1f5a2
SHA256

ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16
SHA512

e80449cde93d19790e64c1fe24af1aeb00a3c392b4d57a529205a2339bbaa675b6ee21d2d068d65ef21c37d23d2f1b8b458706068ffe850410dc290c4d5c0ce3
SSDEEP

12288:jVTnKIxG7yLfHB7cymJJMA+bpW3Ari4VVyZC0+1cw2jINofMVbZZ6:jVTney9cyQJMA+b3iE0nHA6

Score

10^/10

dcrat infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\wininit.exe\""	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Program Files (x86)\\Google\\dllhost.exe\""	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Program Files (x86)\\Google\\dllhost.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\StartMenuExperienceHost.exe\""	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Program Files (x86)\\Google\\dllhost.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\StartMenuExperienceHost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\StartMenuExperienceHost.exe\""	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Program Files (x86)\\Google\\dllhost.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\StartMenuExperienceHost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\StartMenuExperienceHost.exe\", \"C:\\Users\\Admin\\dllhost.exe\""	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Program Files (x86)\\Google\\dllhost.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\StartMenuExperienceHost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\StartMenuExperienceHost.exe\", \"C:\\Users\\Admin\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe\""	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	4612	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	4612	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3408	4612	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3780	4612	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	4612	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	4612	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	4612	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3504	4612	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	4612	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3320	4612	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	4612	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	4612	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	4612	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	4612	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	4612	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3240	4612	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	4612	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	4612	schtasks.exe	84

DCRat payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/1672-1-0x0000000000370000-0x0000000000444000-memory.dmp	family_dcrat_v2
behavioral2/files/0x0007000000023c9d-25.dat	family_dcrat_v2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe

Executes dropped EXE 1 IoCs

pid	Process
116	StartMenuExperienceHost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\Default\\Documents\\My Pictures\\StartMenuExperienceHost.exe\""	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Admin\\dllhost.exe\""	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe\""	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\WindowsRE\\wininit.exe\""	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Google\\dllhost.exe\""	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\StartMenuExperienceHost.exe\""	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\Default\\Documents\\My Pictures\\StartMenuExperienceHost.exe\""	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Admin\\dllhost.exe\""	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe\""	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\WindowsRE\\wininit.exe\""	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Google\\dllhost.exe\""	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\StartMenuExperienceHost.exe\""	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCEB3C2DB7233F48D483974C2683A0E23.TMP	csc.exe
File created	\??\c:\Windows\System32\-63gkj.exe	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\defaults\pref\55b276f4edf653	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
File created	C:\Program Files (x86)\Google\dllhost.exe	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
File created	C:\Program Files (x86)\Google\5940a34987c991	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\StartMenuExperienceHost.exe	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2112	schtasks.exe
1592	schtasks.exe
1076	schtasks.exe
3320	schtasks.exe
4828	schtasks.exe
4552	schtasks.exe
4660	schtasks.exe
3780	schtasks.exe
2064	schtasks.exe
1104	schtasks.exe
5024	schtasks.exe
468	schtasks.exe
844	schtasks.exe
3240	schtasks.exe
2904	schtasks.exe
3504	schtasks.exe
3408	schtasks.exe
2344	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
Token: SeDebugPrivilege	116	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 4012	1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe	88
PID 1672 wrote to memory of 4012	1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe	88
PID 4012 wrote to memory of 4184	4012	csc.exe	90
PID 4012 wrote to memory of 4184	4012	csc.exe	90
PID 1672 wrote to memory of 2396	1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe	108
PID 1672 wrote to memory of 2396	1672	ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe	108
PID 2396 wrote to memory of 4628	2396	cmd.exe	110
PID 2396 wrote to memory of 4628	2396	cmd.exe	110
PID 2396 wrote to memory of 4388	2396	cmd.exe	112
PID 2396 wrote to memory of 4388	2396	cmd.exe	112
PID 2396 wrote to memory of 116	2396	cmd.exe	117
PID 2396 wrote to memory of 116	2396	cmd.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe
"C:\Users\Admin\AppData\Local\Temp\ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mku0sxsm\mku0sxsm.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4012
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAAC7.tmp" "c:\Windows\System32\CSCEB3C2DB7233F48D483974C2683A0E23.TMP"
    3⤵
    PID:4184
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NA0uTLJ3SG.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4628
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4388
- - C:\Users\Default\Documents\My Pictures\StartMenuExperienceHost.exe
    "C:\Users\Default\Documents\My Pictures\StartMenuExperienceHost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Documents\My Pictures\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Pictures\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Documents\My Pictures\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16a" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16a" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\wininit.exe

Filesize
825KB

MD5
ce09db6adeeca051ff01abd8cf2e400d

SHA1
14e60e202c180152757a89d13d9989ec35e1f5a2

SHA256
ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16

SHA512
e80449cde93d19790e64c1fe24af1aeb00a3c392b4d57a529205a2339bbaa675b6ee21d2d068d65ef21c37d23d2f1b8b458706068ffe850410dc290c4d5c0ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\NA0uTLJ3SG.bat

Filesize
242B

MD5
bb286dc40bf76d26eed3e7e58010a1c0

SHA1
516586a4fbb52e686091a3441f70075b054732a6

SHA256
dce44211c16419e581681bb8723579dc8df49ab52e9856fd56f197b64e9e4b96

SHA512
c3a144125f4f493987ba8b75ee2802da5674479701ae1c76a791f24898eb9300a844b29ecf2f4cc1b8b69534b4d2ccb7ed3c5dfd927b8c1c5445af4a1e4aacad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAAC7.tmp

Filesize
1KB

MD5
d3280437280a424b21d798d36234ab49

SHA1
0702a66132a1ac6abe92ec85af74fecd2161f7c1

SHA256
530e7b934aa6e96163b2023e57251f99dea0f1c43f3d833c2c6cfde53d8102cb

SHA512
27b61107505478faed1640f621d3d15950dc679df4b3f65463834ed629b33b741bb9dab55e6d3a8e9accb6d2fdbced1fffd0c9329e836ef20cb8a12d780cb136

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mku0sxsm\mku0sxsm.0.cs

Filesize
365B

MD5
677af91ed95d0681f4bda3ae3f3acaa5

SHA1
ceeea7a9b3c4103daf69c90182df9d9548357247

SHA256
48440e914f3fba670491787c1f9393362e30cf74556735e2564a74e196b7e034

SHA512
55e19e87e523f274572a91ffa301ccdb298f2d6c45a415ff6048dc0b700c2daefcf6dfbf1d30932a729c77540450ef3b86b92637069fdcf6fb0fc2db0b23d38c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mku0sxsm\mku0sxsm.cmdline

Filesize
235B

MD5
08af5e9a94b8871bbf9d018edba873f0

SHA1
3b6624c2b9e824cf4d1d8f43c9b6dd64b1cbcfcb

SHA256
64521f606829d58c73d5b38170765254db1640979d3e19ec21ace5ee9dd8486f

SHA512
3e599d5f2b7e7dd9312eb4bc5075d4b47fccfd6cee48bb63965d444d6409c7da549ad620300be3a57a4e65bcda60861828126666c3dd4de4c0cf85fc036993e9

Download Submit
\??\c:\Windows\System32\CSCEB3C2DB7233F48D483974C2683A0E23.TMP

Filesize
1KB

MD5
82a7b8ef3bc275711e3b27c6df93c7ff

SHA1
bdac909f26475c94c74145576bcf22adb0f8203c

SHA256
582921e5e6617cb736006c46c9c8576d8fdefb8763469bdbf305d52d298f6124

SHA512
f2100bca60280f6ad93f40254d6fe69bd9917a44973516874aa54c28042796503daac5c51869924f5ecd17615f461dda6441f479e1201c44ad07f5a7728af248

Download Submit
memory/116-58-0x000000001BEF0000-0x000000001BFBD000-memory.dmp

Filesize
820KB

Download
memory/1672-10-0x000000001B330000-0x000000001B348000-memory.dmp

Filesize
96KB

Download
memory/1672-32-0x00007FFD857F0000-0x00007FFD862B1000-memory.dmp

Filesize
10.8MB

Download
memory/1672-14-0x000000001AED0000-0x000000001AEDE000-memory.dmp

Filesize
56KB

Download
memory/1672-18-0x00007FFD857F0000-0x00007FFD862B1000-memory.dmp

Filesize
10.8MB

Download
memory/1672-12-0x00000000025E0000-0x00000000025EE000-memory.dmp

Filesize
56KB

Download
memory/1672-27-0x00007FFD857F0000-0x00007FFD862B1000-memory.dmp

Filesize
10.8MB

Download
memory/1672-31-0x00007FFD857F0000-0x00007FFD862B1000-memory.dmp

Filesize
10.8MB

Download
memory/1672-7-0x000000001B380000-0x000000001B3D0000-memory.dmp

Filesize
320KB

Download
memory/1672-8-0x00007FFD857F0000-0x00007FFD862B1000-memory.dmp

Filesize
10.8MB

Download
memory/1672-0-0x00007FFD857F3000-0x00007FFD857F5000-memory.dmp

Filesize
8KB

Download
memory/1672-6-0x000000001AEF0000-0x000000001AF0C000-memory.dmp

Filesize
112KB

Download
memory/1672-4-0x00000000025D0000-0x00000000025DE000-memory.dmp

Filesize
56KB

Download
memory/1672-47-0x000000001B610000-0x000000001B6DD000-memory.dmp

Filesize
820KB

Download
memory/1672-2-0x00007FFD857F0000-0x00007FFD862B1000-memory.dmp

Filesize
10.8MB

Download
memory/1672-49-0x00007FFD857F0000-0x00007FFD862B1000-memory.dmp

Filesize
10.8MB

Download
memory/1672-1-0x0000000000370000-0x0000000000444000-memory.dmp

Filesize
848KB

Download