dcrat | 545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008

Analysis

max time kernel
137s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31-10-2024 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Size

1.8MB
MD5

cdfe4113f2d0e3d04921aaf02a61f4c0
SHA1

f6677353b59a891a2fe06dc2971ec383154c3094
SHA256

545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008
SHA512

6892293e3a3856fd10161970e1ff149ea320bc6fc1e57c7d636d7dde25b82a9715344a5638f5d55ed4b0224cbe7af2fc8a55e6367ad3f1d5272104c7777f5404
SSDEEP

24576:opSTNuxSGxU+s8DpWgdOK5QX/aJfaOtdnDc0GcWiJHMTJd6dFdoQQDymYPj9rnWC:o/Uo5QigOMPy2TzyF2Qj9WJ

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\SIGNUP\\explorer.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\audiodg.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\WMIADAP.exe\", \"C:\\Program Files\\Windows Journal\\es-ES\\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\wininit.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\SIGNUP\\explorer.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\audiodg.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\WMIADAP.exe\", \"C:\\Program Files\\Windows Journal\\es-ES\\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\SIGNUP\\explorer.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\SIGNUP\\explorer.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\audiodg.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\SIGNUP\\explorer.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\audiodg.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\WMIADAP.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\SIGNUP\\explorer.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\audiodg.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\WMIADAP.exe\", \"C:\\Program Files\\Windows Journal\\es-ES\\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2780	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2780	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2780	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2780	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2780	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2780	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2780	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2780	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	280	2780	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2780	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2780	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	2780	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2780	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	2780	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	2780	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	2780	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2780	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2780	schtasks.exe	31

Executes dropped EXE 1 IoCs

Processes:

audiodg.exe

pid	Process
1512	audiodg.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N = "\"C:\\Program Files\\Windows Journal\\es-ES\\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\wininit.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\wininit.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\Windows Defender\\en-US\\audiodg.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\WMIADAP.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\WMIADAP.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N = "\"C:\\Program Files\\Windows Journal\\es-ES\\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Internet Explorer\\SIGNUP\\explorer.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Internet Explorer\\SIGNUP\\explorer.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\Windows Defender\\en-US\\audiodg.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	Process
File created	\??\c:\Windows\System32\CSC2A14E9631414C88949919400183BB3.TMP	csc.exe
File created	\??\c:\Windows\System32\3kmwe8.exe	csc.exe

Drops file in Program Files directory 6 IoCs

Processes:

545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe

description	ioc	Process
File created	C:\Program Files\Internet Explorer\SIGNUP\explorer.exe	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\7a0fd90576e088	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
File created	C:\Program Files\Windows Journal\es-ES\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
File created	C:\Program Files\Windows Journal\es-ES\a35db18858f64a	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
File created	C:\Program Files\Windows Defender\en-US\audiodg.exe	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
File created	C:\Program Files\Windows Defender\en-US\42af1c969fbb7b	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXE

pid	Process
1892	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
1892	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2680	schtasks.exe
2932	schtasks.exe
1664	schtasks.exe
592	schtasks.exe
780	schtasks.exe
2844	schtasks.exe
2468	schtasks.exe
2836	schtasks.exe
280	schtasks.exe
2904	schtasks.exe
2900	schtasks.exe
2576	schtasks.exe
2016	schtasks.exe
2036	schtasks.exe
1780	schtasks.exe
1888	schtasks.exe
1188	schtasks.exe
1228	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exeaudiodg.exe

pid	Process
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
1512	audiodg.exe
1512	audiodg.exe
1512	audiodg.exe
1512	audiodg.exe
1512	audiodg.exe
1512	audiodg.exe
1512	audiodg.exe
1512	audiodg.exe
1512	audiodg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

audiodg.exe

pid	Process
1512	audiodg.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exeaudiodg.exe

description	pid	Process
Token: SeDebugPrivilege	2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Token: SeDebugPrivilege	1512	audiodg.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.execsc.execmd.exe

description	pid	Process	procid_target
PID 2380 wrote to memory of 2848	2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe	35
PID 2380 wrote to memory of 2848	2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe	35
PID 2380 wrote to memory of 2848	2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe	35
PID 2848 wrote to memory of 2720	2848	csc.exe	37
PID 2848 wrote to memory of 2720	2848	csc.exe	37
PID 2848 wrote to memory of 2720	2848	csc.exe	37
PID 2380 wrote to memory of 2192	2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe	53
PID 2380 wrote to memory of 2192	2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe	53
PID 2380 wrote to memory of 2192	2380	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe	53
PID 2192 wrote to memory of 2424	2192	cmd.exe	55
PID 2192 wrote to memory of 2424	2192	cmd.exe	55
PID 2192 wrote to memory of 2424	2192	cmd.exe	55
PID 2192 wrote to memory of 1892	2192	cmd.exe	56
PID 2192 wrote to memory of 1892	2192	cmd.exe	56
PID 2192 wrote to memory of 1892	2192	cmd.exe	56
PID 2192 wrote to memory of 1512	2192	cmd.exe	57
PID 2192 wrote to memory of 1512	2192	cmd.exe	57
PID 2192 wrote to memory of 1512	2192	cmd.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
"C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nveu30fn\nveu30fn.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDCE7.tmp" "c:\Windows\System32\CSC2A14E9631414C88949919400183BB3.TMP"
    3⤵
    PID:2720
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iAXkGkYzAg.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2424
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1892
- - C:\Program Files\Windows Defender\en-US\audiodg.exe
    "C:\Program Files\Windows Defender\en-US\audiodg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\SIGNUP\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\SIGNUP\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\SIGNUP\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\en-US\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\en-US\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N5" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\es-ES\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\es-ES\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N5" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Journal\es-ES\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N5" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N5" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Internet Explorer\SIGNUP\explorer.exe

Filesize
1.8MB

MD5
cdfe4113f2d0e3d04921aaf02a61f4c0

SHA1
f6677353b59a891a2fe06dc2971ec383154c3094

SHA256
545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008

SHA512
6892293e3a3856fd10161970e1ff149ea320bc6fc1e57c7d636d7dde25b82a9715344a5638f5d55ed4b0224cbe7af2fc8a55e6367ad3f1d5272104c7777f5404

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDCE7.tmp

Filesize
1KB

MD5
9096c5375bea8d98e3191b7a1afe0c5a

SHA1
7d7d03e9a63f18fc2e85710c5f7d66d4fb34711c

SHA256
2d4b17488479018550549d0c21eb14b385b4d1826276d9ecb5634f63ef979907

SHA512
d77285815698fe8ec972c1c1213da67b8638911e9895b17d640df56b04cecc9c9c5b81a6a9127dd30ec1e17ff828911c5b367499b95f3ee81df1eb97ff9a1571

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAXkGkYzAg.bat

Filesize
179B

MD5
b30ac6eb3909ee869d56b033b5a0bb3a

SHA1
7678f96cc8620da0631f845faff4b535e56bebdb

SHA256
9d1642bd73fcb4a3685e210f63ede69e2097246a5b5ebd8422ab2fd62c78750b

SHA512
35ca3616104111865fa776709e90b9367f4adf67ee553324284aca8be7792749273ab5f7b55ae2584d1b31e33e86b959612be35f5de719ea74ffbcd34c4508b3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nveu30fn\nveu30fn.0.cs

Filesize
386B

MD5
a0f75b34f35fd726d6e164c7cafc4710

SHA1
a71a01a95f0d8c748b25c07e4d786ef6b78118ff

SHA256
3964027e3afff4ca53f9be45fd54e88a2294fa5c1849db5561f1af959ce2cbf1

SHA512
8d522b6c1d395f10b47082dcadaeb83c58e437d6cc0fbd3f6d88624176356d8840f82ee969d75a6434bab476c14ad7a7c83ad354751f80d9005eec306c40e41e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nveu30fn\nveu30fn.cmdline

Filesize
235B

MD5
93a366644594df4e133c7de6da8fc0f0

SHA1
fcdabedf66561214b24054797bf258cf30fae486

SHA256
dba309a2c204c4ef041302bebf0c764d26f7a2b8046186c0211dbdc8b65dc7f0

SHA512
d0835812b25561c8ccd8b172a88609e7a5d0ea644616ec5c66b43c7be083dd3c05769c12d917aa525c28ed606bc03b718586ab40cd85814e200ceeb154454f90

Download Submit
\??\c:\Windows\System32\CSC2A14E9631414C88949919400183BB3.TMP

Filesize
1KB

MD5
8c85ef91c6071d33745325a8fa351c3e

SHA1
e3311ceef28823eec99699cc35be27c94eca52d2

SHA256
8db3e3a5515da1933036688a9b1918cfc3339fc687008c5325461271904b2d41

SHA512
2bb89b07fe46b1c406ed6a560e88cb2b8402b1d61bb71e10887bad661751f64f1e5317fd6c1b301ea4766785b915da31b64e0475cfe36c1f950b32915b5dab7d

Download Submit
memory/1512-49-0x00000000009A0000-0x0000000000B7A000-memory.dmp

Filesize
1.9MB

Download
memory/2380-6-0x0000000000380000-0x000000000038E000-memory.dmp

Filesize
56KB

Download
memory/2380-9-0x0000000000430000-0x000000000044C000-memory.dmp

Filesize
112KB

Download
memory/2380-12-0x0000000000450000-0x0000000000468000-memory.dmp

Filesize
96KB

Download
memory/2380-16-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

Filesize
9.9MB

Download
memory/2380-17-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

Filesize
9.9MB

Download
memory/2380-15-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

Filesize
9.9MB

Download
memory/2380-14-0x0000000000390000-0x000000000039C000-memory.dmp

Filesize
48KB

Download
memory/2380-10-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

Filesize
9.9MB

Download
memory/2380-8-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

Filesize
9.9MB

Download
memory/2380-0-0x000007FEF5E53000-0x000007FEF5E54000-memory.dmp

Filesize
4KB

Download
memory/2380-4-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

Filesize
9.9MB

Download
memory/2380-3-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

Filesize
9.9MB

Download
memory/2380-2-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

Filesize
9.9MB

Download
memory/2380-46-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

Filesize
9.9MB

Download
memory/2380-1-0x0000000001120000-0x00000000012FA000-memory.dmp

Filesize
1.9MB

Download