dcrat | 545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008

Analysis

max time kernel
138s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Size

1.8MB
MD5

cdfe4113f2d0e3d04921aaf02a61f4c0
SHA1

f6677353b59a891a2fe06dc2971ec383154c3094
SHA256

545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008
SHA512

6892293e3a3856fd10161970e1ff149ea320bc6fc1e57c7d636d7dde25b82a9715344a5638f5d55ed4b0224cbe7af2fc8a55e6367ad3f1d5272104c7777f5404
SSDEEP

24576:opSTNuxSGxU+s8DpWgdOK5QX/aJfaOtdnDc0GcWiJHMTJd6dFdoQQDymYPj9rnWC:o/Uo5QigOMPy2TzyF2Qj9WJ

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\ssh\\services.exe\", \"C:\\Program Files\\7-Zip\\wininit.exe\", \"C:\\Users\\All Users\\SoftwareDistribution\\OfficeClickToRun.exe\", \"C:\\Program Files\\Common Files\\DESIGNER\\TextInputHost.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\ssh\\services.exe\", \"C:\\Program Files\\7-Zip\\wininit.exe\", \"C:\\Users\\All Users\\SoftwareDistribution\\OfficeClickToRun.exe\", \"C:\\Program Files\\Common Files\\DESIGNER\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\ssh\\services.exe\", \"C:\\Program Files\\7-Zip\\wininit.exe\", \"C:\\Users\\All Users\\SoftwareDistribution\\OfficeClickToRun.exe\", \"C:\\Program Files\\Common Files\\DESIGNER\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\ssh\\services.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\ssh\\services.exe\", \"C:\\Program Files\\7-Zip\\wininit.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\ssh\\services.exe\", \"C:\\Program Files\\7-Zip\\wininit.exe\", \"C:\\Users\\All Users\\SoftwareDistribution\\OfficeClickToRun.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	3688	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	3688	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	3688	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	3688	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	3688	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	3688	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	3688	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	3688	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	3688	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	3688	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	3688	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	3688	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	3688	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	3688	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	3688	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	3688	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3428	3688	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	3688	schtasks.exe	88

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\7-Zip\\wininit.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Users\\All Users\\SoftwareDistribution\\OfficeClickToRun.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\All Users\\ssh\\services.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\7-Zip\\wininit.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Users\\All Users\\SoftwareDistribution\\OfficeClickToRun.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files\\Common Files\\DESIGNER\\TextInputHost.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files\\Common Files\\DESIGNER\\TextInputHost.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\All Users\\ssh\\services.exe\""	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	Process
File created	\??\c:\Windows\System32\CSC963D989D1CEA4D71909F722FCC39A96F.TMP	csc.exe
File created	\??\c:\Windows\System32\lhkpi-.exe	csc.exe

Drops file in Program Files directory 4 IoCs

Processes:

545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe

description	ioc	Process
File created	C:\Program Files\Common Files\DESIGNER\TextInputHost.exe	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
File created	C:\Program Files\Common Files\DESIGNER\22eafd247d37c3	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
File created	C:\Program Files\7-Zip\wininit.exe	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
File created	C:\Program Files\7-Zip\56085415360792	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2384	schtasks.exe
4616	schtasks.exe
1656	schtasks.exe
1972	schtasks.exe
964	schtasks.exe
2756	schtasks.exe
4692	schtasks.exe
3428	schtasks.exe
4812	schtasks.exe
5012	schtasks.exe
1636	schtasks.exe
1740	schtasks.exe
2472	schtasks.exe
2664	schtasks.exe
840	schtasks.exe
1280	schtasks.exe
2496	schtasks.exe
1548	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe

pid	Process
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
864	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
864	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
864	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
864	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
864	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
864	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
864	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe

pid	Process
864	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe

description	pid	Process
Token: SeDebugPrivilege	5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
Token: SeDebugPrivilege	864	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.execsc.execmd.exe

description	pid	Process	procid_target
PID 5096 wrote to memory of 5032	5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe	92
PID 5096 wrote to memory of 5032	5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe	92
PID 5032 wrote to memory of 2280	5032	csc.exe	94
PID 5032 wrote to memory of 2280	5032	csc.exe	94
PID 5096 wrote to memory of 3064	5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe	111
PID 5096 wrote to memory of 3064	5096	545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe	111
PID 3064 wrote to memory of 3988	3064	cmd.exe	113
PID 3064 wrote to memory of 3988	3064	cmd.exe	113
PID 3064 wrote to memory of 5028	3064	cmd.exe	114
PID 3064 wrote to memory of 5028	3064	cmd.exe	114
PID 3064 wrote to memory of 864	3064	cmd.exe	118
PID 3064 wrote to memory of 864	3064	cmd.exe	118

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
"C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bmmatddt\bmmatddt.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC479.tmp" "c:\Windows\System32\CSC963D989D1CEA4D71909F722FCC39A96F.TMP"
    3⤵
    PID:2280
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ijqDdIQKja.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3988
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:5028
- - C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
    "C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\ssh\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\ssh\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\ssh\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\7-Zip\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\SoftwareDistribution\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\All Users\SoftwareDistribution\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\SoftwareDistribution\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\DESIGNER\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\DESIGNER\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N5" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N5" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ssh\services.exe

Filesize
1.8MB

MD5
cdfe4113f2d0e3d04921aaf02a61f4c0

SHA1
f6677353b59a891a2fe06dc2971ec383154c3094

SHA256
545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008

SHA512
6892293e3a3856fd10161970e1ff149ea320bc6fc1e57c7d636d7dde25b82a9715344a5638f5d55ed4b0224cbe7af2fc8a55e6367ad3f1d5272104c7777f5404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe.log

Filesize
1KB

MD5
af6acd95d59de87c04642509c30e81c1

SHA1
f9549ae93fdb0a5861a79a08f60aa81c4b32377b

SHA256
7521ee2d065a78efcab55a194fbd78492f84b70595f139263875f4ea92b194d6

SHA512
93ab99bcf588fde553de3240e0d2b0cbd4e4bc5ef5e99d53f45a267d7ff30103a80b5a7aa1c52d6eff1e070af0ec82d2c0b8aafb7099742aa16810edc1815c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC479.tmp

Filesize
1KB

MD5
903f39866093d83f93dbf1264f9fb613

SHA1
7c88447649be2bc952db89e737baf681d023ac68

SHA256
2659753d2a3bbc5a08dfff89864e3b13fed1dbf3772fde4ad5e720d48a48a490

SHA512
9cb2d2e980d85ddd969a63eed9a82a5087451345c0b02025b989cdc517268cee536ac58df39b407b42c939c1d5f440649f155974c7f8aa50e7156c3d0750fe11

Download Submit
C:\Users\Admin\AppData\Local\Temp\ijqDdIQKja.bat

Filesize
279B

MD5
2fc387bf73f5097b937d1683957f4fb1

SHA1
a0fdeb38956fb1a658ec5ffd8b0ca2752381a9e3

SHA256
cdf53857156b7feaf8ea278662f3f982f29cd2393cab10973b88703e2d777642

SHA512
006202d0e5493720aa971d3f61b0e53db900915ef77d3dcae7168dcd0677ed22cde3c5014991f547f1875312185520b1deadf73c1ef9736ba410e5832f1f307d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bmmatddt\bmmatddt.0.cs

Filesize
367B

MD5
896616c530d1aadd78f44e00ead0fef1

SHA1
df70083d3aa01265d882fc186e094d2b3bdc8662

SHA256
bd1f83d51250d4fe7bed55dbd2febfd69e80e89e1fa1d2cad32f0bb6251f25f0

SHA512
e311c0a9278f28f49fa7dfee79009edf9997657571d720e2205659159e800e3bc778a25cf47cd740493cf85882850b6f34efa62f17e65faf26a83ca01dc82605

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bmmatddt\bmmatddt.cmdline

Filesize
235B

MD5
e82cf091b69da16c7f223b22435adc78

SHA1
236de8b12ba382b802fb050b4536946ca36f5fb7

SHA256
e8cb4b3c9d301fa5f8272eba9ab654cdff889851c9497ff407ff79546b1b25ae

SHA512
e23f8e8b87c75dacc056b2e5a3d09e586ee77f9e1953b870a5994a64e072085198931defa77dadff8093584675d5788f0581f5da2bb255eadd8bf87525cbc622

Download Submit
\??\c:\Windows\System32\CSC963D989D1CEA4D71909F722FCC39A96F.TMP

Filesize
1KB

MD5
75e32610d8ef6143201c7c28465fcda9

SHA1
b2bae99fade2dda07aecbe1659d184be0fc4e7a6

SHA256
97ee1cac3965d9cc55a60f20206f384719431f19ac96bdc52b93a98de51a639b

SHA512
b303fb99586efd19a08223ba93472fa6d33fcf9198bbf42fb16ba61001db59e5fd5835ea7696ed34e4004d23fa60697e724e6085d1269d788204bf95dfe46abc

Download Submit
memory/5096-7-0x0000000002350000-0x000000000235E000-memory.dmp

Filesize
56KB

Download
memory/5096-33-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

Filesize
10.8MB

Download
memory/5096-11-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

Filesize
10.8MB

Download
memory/5096-12-0x000000001B280000-0x000000001B2D0000-memory.dmp

Filesize
320KB

Download
memory/5096-17-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

Filesize
10.8MB

Download
memory/5096-16-0x0000000002360000-0x000000000236C000-memory.dmp

Filesize
48KB

Download
memory/5096-14-0x000000001AFF0000-0x000000001B008000-memory.dmp

Filesize
96KB

Download
memory/5096-21-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

Filesize
10.8MB

Download
memory/5096-8-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

Filesize
10.8MB

Download
memory/5096-10-0x000000001AFD0000-0x000000001AFEC000-memory.dmp

Filesize
112KB

Download
memory/5096-0-0x00007FFBAC563000-0x00007FFBAC565000-memory.dmp

Filesize
8KB

Download
memory/5096-5-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

Filesize
10.8MB

Download
memory/5096-4-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

Filesize
10.8MB

Download
memory/5096-3-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

Filesize
10.8MB

Download
memory/5096-48-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

Filesize
10.8MB

Download
memory/5096-2-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

Filesize
10.8MB

Download
memory/5096-1-0x00000000000C0000-0x000000000029A000-memory.dmp

Filesize
1.9MB

Download