dcrat | 545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31-10-2024 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Size

1.8MB
MD5

cdfe4113f2d0e3d04921aaf02a61f4c0
SHA1

f6677353b59a891a2fe06dc2971ec383154c3094
SHA256

545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008
SHA512

6892293e3a3856fd10161970e1ff149ea320bc6fc1e57c7d636d7dde25b82a9715344a5638f5d55ed4b0224cbe7af2fc8a55e6367ad3f1d5272104c7777f5404
SSDEEP

24576:opSTNuxSGxU+s8DpWgdOK5QX/aJfaOtdnDc0GcWiJHMTJd6dFdoQQDymYPj9rnWC:o/Uo5QigOMPy2TzyF2Qj9WJ

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\taskhost.exe\", \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\sppsvc.exe\", \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\csrss.exe\", \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\csrss.exe\", \"C:\\Windows\\Web\\Wallpaper\\Nature\\lsm.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\taskhost.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\taskhost.exe\", \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\sppsvc.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\taskhost.exe\", \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\sppsvc.exe\", \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\csrss.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\taskhost.exe\", \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\sppsvc.exe\", \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\csrss.exe\", \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\csrss.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\taskhost.exe\", \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\sppsvc.exe\", \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\csrss.exe\", \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\csrss.exe\", \"C:\\Windows\\Web\\Wallpaper\\Nature\\lsm.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2028	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2028	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2028	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2028	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2028	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	2028	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2028	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2028	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2028	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	2028	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2028	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	2028	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2028	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2028	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2028	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	2028	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2028	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2028	schtasks.exe	31

Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid	Process
776	csrss.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Default User\\taskhost.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Web\\Wallpaper\\Nature\\lsm.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Default User\\taskhost.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\sppsvc.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\sppsvc.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\csrss.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\csrss.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Web\\Wallpaper\\Nature\\lsm.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	Process
File created	\??\c:\Windows\System32\CSCD7E8F2E947BD4BFAB26E29DCBB27592.TMP	csc.exe
File created	\??\c:\Windows\System32\1woi1z.exe	csc.exe

Drops file in Windows directory 3 IoCs

Processes:

545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe

description	ioc	Process
File created	C:\Windows\Web\Wallpaper\Nature\lsm.exe	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
File opened for modification	C:\Windows\Web\Wallpaper\Nature\lsm.exe	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
File created	C:\Windows\Web\Wallpaper\Nature\101b941d020240	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2700	schtasks.exe
576	schtasks.exe
1544	schtasks.exe
1304	schtasks.exe
2252	schtasks.exe
1748	schtasks.exe
2084	schtasks.exe
2884	schtasks.exe
2556	schtasks.exe
2960	schtasks.exe
1004	schtasks.exe
880	schtasks.exe
2692	schtasks.exe
2592	schtasks.exe
2948	schtasks.exe
1532	schtasks.exe
352	schtasks.exe
592	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.execsrss.exe

pid	Process
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
776	csrss.exe
776	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.execsrss.exe

description	pid	Process
Token: SeDebugPrivilege	2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Token: SeDebugPrivilege	776	csrss.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.execsc.execmd.exe

description	pid	Process	procid_target
PID 2408 wrote to memory of 2400	2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe	35
PID 2408 wrote to memory of 2400	2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe	35
PID 2408 wrote to memory of 2400	2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe	35
PID 2400 wrote to memory of 2388	2400	csc.exe	37
PID 2400 wrote to memory of 2388	2400	csc.exe	37
PID 2400 wrote to memory of 2388	2400	csc.exe	37
PID 2408 wrote to memory of 2216	2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe	53
PID 2408 wrote to memory of 2216	2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe	53
PID 2408 wrote to memory of 2216	2408	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe	53
PID 2216 wrote to memory of 2224	2216	cmd.exe	55
PID 2216 wrote to memory of 2224	2216	cmd.exe	55
PID 2216 wrote to memory of 2224	2216	cmd.exe	55
PID 2216 wrote to memory of 2184	2216	cmd.exe	56
PID 2216 wrote to memory of 2184	2216	cmd.exe	56
PID 2216 wrote to memory of 2184	2216	cmd.exe	56
PID 2216 wrote to memory of 776	2216	cmd.exe	57
PID 2216 wrote to memory of 776	2216	cmd.exe	57
PID 2216 wrote to memory of 776	2216	cmd.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
"C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3n0rnbt1\3n0rnbt1.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF9BA.tmp" "c:\Windows\System32\CSCD7E8F2E947BD4BFAB26E29DCBB27592.TMP"
    3⤵
    PID:2388
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\psS3BOCiYp.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2224
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2184
- - C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe
    "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\Web\Wallpaper\Nature\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Nature\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\Web\Wallpaper\Nature\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N5" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N5" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF9BA.tmp

Filesize
1KB

MD5
5cd5addd58c84380cd831ac43a082349

SHA1
b2ca6cf0e6c029f89dcbb4732a8b4e42afc34d6b

SHA256
cc62b50859e01132372b50efb93e35954acf0639b3002cd1b6f1d4f6de0bfa5d

SHA512
0e487d2a9889adb96ef75fe09106c466af19a462ea76e7dabc68cabea0c07a296ecaa8939e311ac5232733f7966a2fd8fe97a06e783fd07bf8e4f438a40fff69

Download Submit
C:\Users\Admin\AppData\Local\Temp\psS3BOCiYp.bat

Filesize
234B

MD5
8e63413bd65c2eabc8c3a5f930606918

SHA1
5ae44a0e8902555c41909afa287ab37b86938c5e

SHA256
13a4d75d6aed8e7fa059ee4a085c30ab3c019ca87b94b8d4912a3906b53c48c8

SHA512
2c76c1375b81ec1ff51cceb08fe3928f7e925ee27612c319f9fd058838ff6852b59e365bdbd22c447ef38f9b25ea182021039e84446e966b96772d46c3d78823

Download Submit
C:\Users\Default\taskhost.exe

Filesize
1.8MB

MD5
cdfe4113f2d0e3d04921aaf02a61f4c0

SHA1
f6677353b59a891a2fe06dc2971ec383154c3094

SHA256
545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008

SHA512
6892293e3a3856fd10161970e1ff149ea320bc6fc1e57c7d636d7dde25b82a9715344a5638f5d55ed4b0224cbe7af2fc8a55e6367ad3f1d5272104c7777f5404

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3n0rnbt1\3n0rnbt1.0.cs

Filesize
366B

MD5
1d066a5ed25e3789feb3b821d3015a0d

SHA1
8506c9a524f9572a619af060d3c6030c7a95880d

SHA256
cf60d6ecd64084fb287b57e91af57510eb84d5f9211395625e2d48fb2506a994

SHA512
4567aec0d9c290a1d823c42efff6329c3f86cfa82359acad6585dcfa8b0ca98bda586f6f3159d81cfb3c4b28532018a5887267339f8c8b1a892dfacc4097daf5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3n0rnbt1\3n0rnbt1.cmdline

Filesize
235B

MD5
1988a362a1a22a1e53512247dc722ae7

SHA1
5a5860c1bfe509a2028a913444e62f40c5e3bf05

SHA256
7847b940636dc79d48d332bb31d13209f32c95081601de6085f41c25761e664a

SHA512
7ef9093969749cdfa8c99d66b137c023b967ee694c921d320c8cf0c0b9c62e8629f076c552f85170121786e00134b6a11288bfe560b000c433a64ab01823a580

Download Submit
\??\c:\Windows\System32\CSCD7E8F2E947BD4BFAB26E29DCBB27592.TMP

Filesize
1KB

MD5
dcd286f3a69cfd0292a8edbc946f8553

SHA1
4d347ac1e8c1d75fc139878f5646d3a0b083ef17

SHA256
29e03364271673f4b388131b7773d016df859bb0b1c5e6c3ad6914a632600596

SHA512
4b9546033bd4957263854fbb0a87aa1d57ce3afbce7bf03b12b05b78f97c5a27c52c1d73e34b6a5ba2c395e26ec9c474a32609441b99cf78ea707113fca96f77

Download Submit
memory/776-49-0x0000000000BB0000-0x0000000000D8A000-memory.dmp

Filesize
1.9MB

Download
memory/2408-6-0x00000000003F0000-0x00000000003FE000-memory.dmp

Filesize
56KB

Download
memory/2408-28-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/2408-12-0x0000000002280000-0x0000000002298000-memory.dmp

Filesize
96KB

Download
memory/2408-10-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/2408-15-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/2408-9-0x00000000007B0000-0x00000000007CC000-memory.dmp

Filesize
112KB

Download
memory/2408-27-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/2408-14-0x0000000000680000-0x000000000068C000-memory.dmp

Filesize
48KB

Download
memory/2408-7-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/2408-0-0x000007FEF5B73000-0x000007FEF5B74000-memory.dmp

Filesize
4KB

Download
memory/2408-4-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/2408-3-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/2408-45-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/2408-2-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/2408-1-0x0000000000020000-0x00000000001FA000-memory.dmp

Filesize
1.9MB

Download