dcrat | 4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605

Analysis

max time kernel
136s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-11-2024 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
Size

855KB
MD5

5780dbae6ac61a88c8d89f216f324146
SHA1

cebcebedc7aaea3a4dd1fbec933cd169bf92e9dc
SHA256

4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605
SHA512

8a595384247649e31ef0c69a63243199d224334d75b66fd486a8e6ba0ac3c2b5521e1ead4b64fb9c968c21a4836581dde10e78f36217b62862c40bed2d105920
SSDEEP

12288:I/TnPz84JfpflKH6qHJJMA+7pW3Ari4VVyZC0+1cp9rcDNpTWDTQGCZ6:I/TnzfS6qpJMA+73iE0nTr66

Score

10^/10

dcrat infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\sppsvc.exe\""	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\sppsvc.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\explorer.exe\""	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\sppsvc.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\Idle.exe\""	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\sppsvc.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\Idle.exe\", \"C:\\Users\\Admin\\NetHood\\csrss.exe\""	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\sppsvc.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\Idle.exe\", \"C:\\Users\\Admin\\NetHood\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsm.exe\""	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\sppsvc.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\Idle.exe\", \"C:\\Users\\Admin\\NetHood\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe\""	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	1528	schtasks.exe	30

DCRat payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/1812-1-0x0000000000D60000-0x0000000000E3C000-memory.dmp	family_dcrat_v2
behavioral1/files/0x00070000000193be-28.dat	family_dcrat_v2
behavioral1/memory/948-55-0x0000000000DC0000-0x0000000000E9C000-memory.dmp	family_dcrat_v2

Executes dropped EXE 1 IoCs

pid	Process
948	sppsvc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Admin\\NetHood\\csrss.exe\""	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsm.exe\""	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe\""	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\sppsvc.exe\""	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\explorer.exe\""	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\explorer.exe\""	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Admin\\NetHood\\csrss.exe\""	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe\""	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\sppsvc.exe\""	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\Idle.exe\""	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\Idle.exe\""	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsm.exe\""	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ipinfo.io
5	ipinfo.io
12	ipinfo.io
13	ipinfo.io

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCB3049ED5A69F4BEBA5CDB4969F6ED5B0.TMP	csc.exe
File created	\??\c:\Windows\System32\foda5r.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\6ccacd8608530f	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\Idle.exe	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2872	schtasks.exe
324	schtasks.exe
2744	schtasks.exe
2480	schtasks.exe
1768	schtasks.exe
3004	schtasks.exe
2568	schtasks.exe
1124	schtasks.exe
2852	schtasks.exe
568	schtasks.exe
2624	schtasks.exe
1948	schtasks.exe
2860	schtasks.exe
2956	schtasks.exe
2820	schtasks.exe
776	schtasks.exe
2920	schtasks.exe
2276	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
948	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
948	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
Token: SeDebugPrivilege	948	sppsvc.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 2824	1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe	34
PID 1812 wrote to memory of 2824	1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe	34
PID 1812 wrote to memory of 2824	1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe	34
PID 2824 wrote to memory of 2644	2824	csc.exe	36
PID 2824 wrote to memory of 2644	2824	csc.exe	36
PID 2824 wrote to memory of 2644	2824	csc.exe	36
PID 1812 wrote to memory of 408	1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe	52
PID 1812 wrote to memory of 408	1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe	52
PID 1812 wrote to memory of 408	1812	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe	52
PID 408 wrote to memory of 2232	408	cmd.exe	54
PID 408 wrote to memory of 2232	408	cmd.exe	54
PID 408 wrote to memory of 2232	408	cmd.exe	54
PID 408 wrote to memory of 1144	408	cmd.exe	55
PID 408 wrote to memory of 1144	408	cmd.exe	55
PID 408 wrote to memory of 1144	408	cmd.exe	55
PID 408 wrote to memory of 948	408	cmd.exe	56
PID 408 wrote to memory of 948	408	cmd.exe	56
PID 408 wrote to memory of 948	408	cmd.exe	56
PID 408 wrote to memory of 948	408	cmd.exe	56
PID 408 wrote to memory of 948	408	cmd.exe	56

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
"C:\Users\Admin\AppData\Local\Temp\4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\shylgo2i\shylgo2i.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES38A.tmp" "c:\Windows\System32\CSCB3049ED5A69F4BEBA5CDB4969F6ED5B0.TMP"
    3⤵
    PID:2644
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5hVQyYPYW5.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:408
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2232
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1144
- - C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe
    "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\NetHood\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\NetHood\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f825490796054" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f825490796054" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe

Filesize
855KB

MD5
5780dbae6ac61a88c8d89f216f324146

SHA1
cebcebedc7aaea3a4dd1fbec933cd169bf92e9dc

SHA256
4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605

SHA512
8a595384247649e31ef0c69a63243199d224334d75b66fd486a8e6ba0ac3c2b5521e1ead4b64fb9c968c21a4836581dde10e78f36217b62862c40bed2d105920

Download Submit
C:\Users\Admin\AppData\Local\Temp\5hVQyYPYW5.bat

Filesize
235B

MD5
00bd6fb0f45bc116e26075caec78f742

SHA1
a27e184a92e517f2c6310145b8df5a96820a7a2d

SHA256
0219ed22f8302bd149ef5e905901b7513296d9a45d56c69c3044aa8523b9b0e4

SHA512
5879973bfabfec1e842bcdc26c4f0af15517cf1766c5c1c26849fcc9be14dfdaedf5f45033d19e4681fe6d1c8596d53673316ac1ba24fc4bedbd1266cdd9cd79

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES38A.tmp

Filesize
1KB

MD5
6be15cda64a929a5fd3f15022dc2b5d1

SHA1
0e59842607f0f93737711fef2d60ea4b289340ed

SHA256
d4b9bc4c0df46ef6c8adcdcd12a45b40fd619770f4e87966e4adda8c143776ad

SHA512
ab1fe84cdcad651d590a16704254fb02f280758c94fe61313ed576f4c4673e3b1a82dbf010568c3eee7b738bc971732358effe19a511b1763f0b2ae530e7f184

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\shylgo2i\shylgo2i.0.cs

Filesize
391B

MD5
0828c26cb24a857c5dc77baa8642df0a

SHA1
e406af17391177b3bb57b2168dd953ebf2065935

SHA256
23daad27616492bc51b45facbab9e68c1b17143eac88eabb8f0552653f4b85bd

SHA512
140d4a2298c8504d5d6568c67bd449a31040e1852650df241097d3860b8c6d28e57564bf4d912488f4096ddd38130bba74561bd171b599692d0c694c34b4a1d1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\shylgo2i\shylgo2i.cmdline

Filesize
235B

MD5
d9a91b56df004b6f8f0e3f309fdc7910

SHA1
2be49b9eccbd49e845c415a55680d9351ff2967c

SHA256
ddf00b062a0950c7ebe562503f2f355b06f4b744a5d4d63f483e19db35ae1cbe

SHA512
6e1eb05d545a7196050e7a88ed0af34c5407dd8937e051164f5661891fe8f445200f333bf80c81cb41d1770e8389189de7948ebe1fdd12bd3cefa6806eecfbdf

Download Submit
\??\c:\Windows\System32\CSCB3049ED5A69F4BEBA5CDB4969F6ED5B0.TMP

Filesize
1KB

MD5
02b6f6024c0f35b2dfb735e30d40ea59

SHA1
9e28d1d16523aab5845e09fdecf27759375f9b5a

SHA256
17491f9c7a135563b4c9dd20e2113e934070166146005e0f97ab301f4a5ef4aa

SHA512
a8a734f3d0f4d6a8904a8faa5638db91e9034c55306f153fdf321731cdfaaa58847d731ee64b226df0bd6cd4b8e6ed6d2ed1af77f510e079755f7159af433672

Download Submit
memory/948-55-0x0000000000DC0000-0x0000000000E9C000-memory.dmp

Filesize
880KB

Download
memory/1812-31-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/1812-33-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/1812-15-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/1812-17-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/1812-18-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/1812-4-0x0000000000150000-0x000000000015E000-memory.dmp

Filesize
56KB

Download
memory/1812-30-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/1812-6-0x0000000000390000-0x00000000003AC000-memory.dmp

Filesize
112KB

Download
memory/1812-32-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/1812-13-0x00000000003D0000-0x00000000003DE000-memory.dmp

Filesize
56KB

Download
memory/1812-11-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/1812-0-0x000007FEF5B33000-0x000007FEF5B34000-memory.dmp

Filesize
4KB

Download
memory/1812-39-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/1812-10-0x0000000000180000-0x000000000018C000-memory.dmp

Filesize
48KB

Download
memory/1812-2-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/1812-1-0x0000000000D60000-0x0000000000E3C000-memory.dmp

Filesize
880KB

Download
memory/1812-52-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/1812-8-0x00000000003B0000-0x00000000003C8000-memory.dmp

Filesize
96KB

Download