dcrat | 4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605

Analysis

max time kernel
132s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/11/2024, 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5780DBAE6AC61A88C8D89F216F324146.exe
Size

855KB
MD5

5780dbae6ac61a88c8d89f216f324146
SHA1

cebcebedc7aaea3a4dd1fbec933cd169bf92e9dc
SHA256

4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605
SHA512

8a595384247649e31ef0c69a63243199d224334d75b66fd486a8e6ba0ac3c2b5521e1ead4b64fb9c968c21a4836581dde10e78f36217b62862c40bed2d105920
SSDEEP

12288:I/TnPz84JfpflKH6qHJJMA+7pW3Ari4VVyZC0+1cp9rcDNpTWDTQGCZ6:I/TnzfS6qpJMA+73iE0nTr66

Score

10^/10

dcrat infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\5780DBAE6AC61A88C8D89F216F324146.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\audiodg.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\sppsvc.exe\", \"C:\\Users\\Admin\\csrss.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\5780DBAE6AC61A88C8D89F216F324146.exe\""	5780DBAE6AC61A88C8D89F216F324146.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\5780DBAE6AC61A88C8D89F216F324146.exe\""	5780DBAE6AC61A88C8D89F216F324146.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\5780DBAE6AC61A88C8D89F216F324146.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\explorer.exe\""	5780DBAE6AC61A88C8D89F216F324146.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\5780DBAE6AC61A88C8D89F216F324146.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\audiodg.exe\""	5780DBAE6AC61A88C8D89F216F324146.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\5780DBAE6AC61A88C8D89F216F324146.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\audiodg.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\sppsvc.exe\""	5780DBAE6AC61A88C8D89F216F324146.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\5780DBAE6AC61A88C8D89F216F324146.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\audiodg.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\sppsvc.exe\", \"C:\\Users\\Admin\\csrss.exe\""	5780DBAE6AC61A88C8D89F216F324146.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	3040	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	3040	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	3040	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	3040	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	3040	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	3040	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	3040	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	3040	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	3040	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	3040	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	3040	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	3040	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	3040	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	3040	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	3040	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	3040	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	3040	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	3040	schtasks.exe	30

DCRat payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2512-1-0x00000000001A0000-0x000000000027C000-memory.dmp	family_dcrat_v2
behavioral1/files/0x000800000001925e-31.dat	family_dcrat_v2
behavioral1/memory/2272-55-0x0000000000890000-0x000000000096C000-memory.dmp	family_dcrat_v2

Executes dropped EXE 1 IoCs

pid	Process
2272	5780DBAE6AC61A88C8D89F216F324146.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\audiodg.exe\""	5780DBAE6AC61A88C8D89F216F324146.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Admin\\csrss.exe\""	5780DBAE6AC61A88C8D89F216F324146.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Admin\\csrss.exe\""	5780DBAE6AC61A88C8D89F216F324146.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5780DBAE6AC61A88C8D89F216F324146 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\5780DBAE6AC61A88C8D89F216F324146.exe\""	5780DBAE6AC61A88C8D89F216F324146.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5780DBAE6AC61A88C8D89F216F324146 = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\5780DBAE6AC61A88C8D89F216F324146.exe\""	5780DBAE6AC61A88C8D89F216F324146.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\explorer.exe\""	5780DBAE6AC61A88C8D89F216F324146.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\explorer.exe\""	5780DBAE6AC61A88C8D89F216F324146.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\audiodg.exe\""	5780DBAE6AC61A88C8D89F216F324146.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\sppsvc.exe\""	5780DBAE6AC61A88C8D89F216F324146.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\sppsvc.exe\""	5780DBAE6AC61A88C8D89F216F324146.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\5780DBAE6AC61A88C8D89F216F324146 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\5780DBAE6AC61A88C8D89F216F324146.exe\""	5780DBAE6AC61A88C8D89F216F324146.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\5780DBAE6AC61A88C8D89F216F324146 = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\5780DBAE6AC61A88C8D89F216F324146.exe\""	5780DBAE6AC61A88C8D89F216F324146.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ipinfo.io
5	ipinfo.io
12	ipinfo.io
13	ipinfo.io

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCD06B1F1474E44FEC998A6F4B432D86E.TMP	csc.exe
File created	\??\c:\Windows\System32\dzuhbf.exe	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\audiodg.exe	5780DBAE6AC61A88C8D89F216F324146.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\42af1c969fbb7b	5780DBAE6AC61A88C8D89F216F324146.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe	5780DBAE6AC61A88C8D89F216F324146.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\7a0fd90576e088	5780DBAE6AC61A88C8D89F216F324146.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	5780DBAE6AC61A88C8D89F216F324146.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	5780DBAE6AC61A88C8D89F216F324146.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2520	schtasks.exe
2912	schtasks.exe
2464	schtasks.exe
2744	schtasks.exe
2324	schtasks.exe
2688	schtasks.exe
2612	schtasks.exe
2940	schtasks.exe
768	schtasks.exe
1148	schtasks.exe
2008	schtasks.exe
2696	schtasks.exe
1716	schtasks.exe
1288	schtasks.exe
2036	schtasks.exe
2472	schtasks.exe
2828	schtasks.exe
2980	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe
2512	5780DBAE6AC61A88C8D89F216F324146.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2272	5780DBAE6AC61A88C8D89F216F324146.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2512	5780DBAE6AC61A88C8D89F216F324146.exe
Token: SeDebugPrivilege	2272	5780DBAE6AC61A88C8D89F216F324146.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2936	2512	5780DBAE6AC61A88C8D89F216F324146.exe	34
PID 2512 wrote to memory of 2936	2512	5780DBAE6AC61A88C8D89F216F324146.exe	34
PID 2512 wrote to memory of 2936	2512	5780DBAE6AC61A88C8D89F216F324146.exe	34
PID 2936 wrote to memory of 2760	2936	csc.exe	36
PID 2936 wrote to memory of 2760	2936	csc.exe	36
PID 2936 wrote to memory of 2760	2936	csc.exe	36
PID 2512 wrote to memory of 340	2512	5780DBAE6AC61A88C8D89F216F324146.exe	53
PID 2512 wrote to memory of 340	2512	5780DBAE6AC61A88C8D89F216F324146.exe	53
PID 2512 wrote to memory of 340	2512	5780DBAE6AC61A88C8D89F216F324146.exe	53
PID 340 wrote to memory of 496	340	cmd.exe	55
PID 340 wrote to memory of 496	340	cmd.exe	55
PID 340 wrote to memory of 496	340	cmd.exe	55
PID 340 wrote to memory of 3064	340	cmd.exe	56
PID 340 wrote to memory of 3064	340	cmd.exe	56
PID 340 wrote to memory of 3064	340	cmd.exe	56
PID 340 wrote to memory of 2272	340	cmd.exe	57
PID 340 wrote to memory of 2272	340	cmd.exe	57
PID 340 wrote to memory of 2272	340	cmd.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5780DBAE6AC61A88C8D89F216F324146.exe
"C:\Users\Admin\AppData\Local\Temp\5780DBAE6AC61A88C8D89F216F324146.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hzjz2uvg\hzjz2uvg.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC34F.tmp" "c:\Windows\System32\CSCD06B1F1474E44FEC998A6F4B432D86E.TMP"
    3⤵
    PID:2760
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bNBdu6Md0n.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:340
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:496
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3064
- - C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\5780DBAE6AC61A88C8D89F216F324146.exe
    "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\5780DBAE6AC61A88C8D89F216F324146.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5780DBAE6AC61A88C8D89F216F3241465" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\5780DBAE6AC61A88C8D89F216F324146.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5780DBAE6AC61A88C8D89F216F324146" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\5780DBAE6AC61A88C8D89F216F324146.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5780DBAE6AC61A88C8D89F216F3241465" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\5780DBAE6AC61A88C8D89F216F324146.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5780DBAE6AC61A88C8D89F216F3241465" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\5780DBAE6AC61A88C8D89F216F324146.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5780DBAE6AC61A88C8D89F216F324146" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\5780DBAE6AC61A88C8D89F216F324146.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5780DBAE6AC61A88C8D89F216F3241465" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\5780DBAE6AC61A88C8D89F216F324146.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\5780DBAE6AC61A88C8D89F216F324146.exe

Filesize
855KB

MD5
5780dbae6ac61a88c8d89f216f324146

SHA1
cebcebedc7aaea3a4dd1fbec933cd169bf92e9dc

SHA256
4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605

SHA512
8a595384247649e31ef0c69a63243199d224334d75b66fd486a8e6ba0ac3c2b5521e1ead4b64fb9c968c21a4836581dde10e78f36217b62862c40bed2d105920

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC34F.tmp

Filesize
1KB

MD5
07536baeb67e5871c6ee53b5c1fc48b1

SHA1
f0294feb4056ff7b9ae9f1434b863a46c54c2cab

SHA256
b2df9dcd1fb463a2444fced8946fd366d5ade7dc45874aa0fe1a44205809e89a

SHA512
f630568f4809e8f270212ce9c8efe39d538cb6e0bf5165cfb8392746332a0f090e34a6661e9309c656942b2a0c3dec3d7a5ab970997eaee82db214fb3ce4821f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bNBdu6Md0n.bat

Filesize
261B

MD5
2ac6a7b55dec7bdba9d449d1de9d5e40

SHA1
c6b8410b9b15d33d3aecebf3785d76251233a9a2

SHA256
8b402b29e2d59b286e4a33a5cc202d5af54e9c7622c9a4e1c07713d4a376b561

SHA512
69fa6a2ba14a8fa05b3c0c1c0a281063b1886be0ed5a2a23477b204924ffb7ab2872c2f0727ab7cd4fe066551f956dc7fd0077295276228d9fa66243590322bb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hzjz2uvg\hzjz2uvg.0.cs

Filesize
417B

MD5
99b79727e2a0ac829711b851c9b6cf7f

SHA1
7e73c925db717f22003f385fdee429a747f8dc00

SHA256
1aeea7eef59680299df6327e4693d3f4bb481068daeabee097f23a61bbc23ee0

SHA512
40cedc73891268030f92f3c5da6d15c56b24b3486571b6381e6ab2f9cc52b2cc335a1a72f813f8bb1396b1971b7c2215df01291b8affb9926f9b54fefc8600c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hzjz2uvg\hzjz2uvg.cmdline

Filesize
235B

MD5
c632169ac1b122d24392960260f4f14c

SHA1
ed128e8eb046494671a2872dcc349fb4e1852e4a

SHA256
4ac2273c116d57a63193b3fa37877436cbea976bdf73562746b8b37a4242e858

SHA512
9e28a462c2174e6d2b3495e72ac494e23d64d8d2d47e330722d58c53508cd3883a53eab5d176d5e394934a88bebbacd982d18c0cc32599ea749699f4e33af6d9

Download Submit
\??\c:\Windows\System32\CSCD06B1F1474E44FEC998A6F4B432D86E.TMP

Filesize
1KB

MD5
9446a6998523ec187daa3d79bec9c8fa

SHA1
16c7f73aef03c8a15b4d9e8b1cfa5183caf7ca96

SHA256
f55f1bd2c1246cfb3b60cd8649fcc78b3837896bdf5132d6fc8ea0ecabf892d7

SHA512
fac3ad1b0c8663aaa94cd66b6ea0aa1848e570ff4a22b709cf2696abb76e28f42fb0d2a74316a7ad86bb6216177013c6b71ce2f4df139edc3054a03ee3467c9d

Download Submit
memory/2272-55-0x0000000000890000-0x000000000096C000-memory.dmp

Filesize
880KB

Download
memory/2512-14-0x0000000000280000-0x000000000028E000-memory.dmp

Filesize
56KB

Download
memory/2512-34-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2512-9-0x00000000002C0000-0x00000000002D8000-memory.dmp

Filesize
96KB

Download
memory/2512-17-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2512-16-0x0000000000290000-0x0000000000298000-memory.dmp

Filesize
32KB

Download
memory/2512-21-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2512-20-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/2512-18-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2512-12-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2512-11-0x0000000000190000-0x000000000019C000-memory.dmp

Filesize
48KB

Download
memory/2512-33-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2512-0-0x000007FEF5493000-0x000007FEF5494000-memory.dmp

Filesize
4KB

Download
memory/2512-7-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2512-6-0x00000000002A0000-0x00000000002BC000-memory.dmp

Filesize
112KB

Download
memory/2512-4-0x0000000000180000-0x000000000018E000-memory.dmp

Filesize
56KB

Download
memory/2512-51-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2512-2-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2512-1-0x00000000001A0000-0x000000000027C000-memory.dmp

Filesize
880KB

Download