dcrat | 4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605

Analysis

max time kernel
135s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2024 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
Size

855KB
MD5

5780dbae6ac61a88c8d89f216f324146
SHA1

cebcebedc7aaea3a4dd1fbec933cd169bf92e9dc
SHA256

4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605
SHA512

8a595384247649e31ef0c69a63243199d224334d75b66fd486a8e6ba0ac3c2b5521e1ead4b64fb9c968c21a4836581dde10e78f36217b62862c40bed2d105920
SSDEEP

12288:I/TnPz84JfpflKH6qHJJMA+7pW3Ari4VVyZC0+1cp9rcDNpTWDTQGCZ6:I/TnzfS6qpJMA+73iE0nTr66

Score

10^/10

dcrat discovery infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\sppsvc.exe\""	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\""	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files\\Microsoft Office 15\\winlogon.exe\""	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files\\Microsoft Office 15\\winlogon.exe\", \"C:\\Users\\Admin\\sihost.exe\""	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files\\Microsoft Office 15\\winlogon.exe\", \"C:\\Users\\Admin\\sihost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\uk-UA\\fontdrvhost.exe\""	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files\\Microsoft Office 15\\winlogon.exe\", \"C:\\Users\\Admin\\sihost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\uk-UA\\fontdrvhost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe\""	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3940	2684	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2684	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2684	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3396	2684	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	2684	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2684	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2684	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4004	2684	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	2684	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	2684	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2684	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2684	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2684	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2684	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	2684	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2684	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2684	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2684	schtasks.exe	84

DCRat payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/5092-1-0x0000000000E00000-0x0000000000EDC000-memory.dmp	family_dcrat_v2
behavioral2/files/0x0007000000023c8b-30.dat	family_dcrat_v2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe

Executes dropped EXE 1 IoCs

pid	Process
4820	sihost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\WindowsRE\\sppsvc.exe\""	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\WindowsRE\\sppsvc.exe\""	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\""	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Windows Photo Viewer\\uk-UA\\fontdrvhost.exe\""	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Users\\Admin\\sihost.exe\""	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Windows Photo Viewer\\uk-UA\\fontdrvhost.exe\""	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe\""	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe\""	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\""	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Microsoft Office 15\\winlogon.exe\""	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Microsoft Office 15\\winlogon.exe\""	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Users\\Admin\\sihost.exe\""	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
53	ipinfo.io
14	ipinfo.io
15	ipinfo.io
52	ipinfo.io

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCB20E0BD88FBB48B3A841B3CEF85D3E5A.TMP	csc.exe
File created	\??\c:\Windows\System32\lhkpi-.exe	csc.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office 15\cc11b995f2a76d	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
File created	C:\Program Files\Windows Photo Viewer\uk-UA\fontdrvhost.exe	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\uk-UA\fontdrvhost.exe	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
File created	C:\Program Files\Windows Photo Viewer\uk-UA\5b884080fd4f94	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
File created	C:\Program Files\WindowsApps\dllhost.exe	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
File created	C:\Program Files\Microsoft Office 15\winlogon.exe	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2220	PING.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2220	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1844	schtasks.exe
2008	schtasks.exe
808	schtasks.exe
1920	schtasks.exe
3036	schtasks.exe
4208	schtasks.exe
2656	schtasks.exe
4004	schtasks.exe
968	schtasks.exe
3028	schtasks.exe
2808	schtasks.exe
3940	schtasks.exe
3396	schtasks.exe
2508	schtasks.exe
2804	schtasks.exe
1064	schtasks.exe
1952	schtasks.exe
2540	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4820	sihost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
Token: SeDebugPrivilege	4820	sihost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 3052	5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe	88
PID 5092 wrote to memory of 3052	5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe	88
PID 3052 wrote to memory of 1760	3052	csc.exe	91
PID 3052 wrote to memory of 1760	3052	csc.exe	91
PID 5092 wrote to memory of 3132	5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe	110
PID 5092 wrote to memory of 3132	5092	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe	110
PID 3132 wrote to memory of 728	3132	cmd.exe	112
PID 3132 wrote to memory of 728	3132	cmd.exe	112
PID 3132 wrote to memory of 2220	3132	cmd.exe	113
PID 3132 wrote to memory of 2220	3132	cmd.exe	113
PID 3132 wrote to memory of 4820	3132	cmd.exe	120
PID 3132 wrote to memory of 4820	3132	cmd.exe	120

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe
"C:\Users\Admin\AppData\Local\Temp\4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\14zuykxb\14zuykxb.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC5B.tmp" "c:\Windows\System32\CSCB20E0BD88FBB48B3A841B3CEF85D3E5A.TMP"
    3⤵
    PID:1760
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GHW2TQxB8N.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3132
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:728
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2220
- - C:\Users\Admin\sihost.exe
    "C:\Users\Admin\sihost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Admin\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\uk-UA\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\uk-UA\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\uk-UA\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f825490796054" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f825490796054" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\sppsvc.exe

Filesize
855KB

MD5
5780dbae6ac61a88c8d89f216f324146

SHA1
cebcebedc7aaea3a4dd1fbec933cd169bf92e9dc

SHA256
4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605

SHA512
8a595384247649e31ef0c69a63243199d224334d75b66fd486a8e6ba0ac3c2b5521e1ead4b64fb9c968c21a4836581dde10e78f36217b62862c40bed2d105920

Download Submit
C:\Users\Admin\AppData\Local\Temp\GHW2TQxB8N.bat

Filesize
153B

MD5
d02f42353e7c12088db50b1b6cbacea4

SHA1
85f328545389b9a6c18b623b8f50de4d062c5d16

SHA256
b9009a17f930481062bfb9d6e7b94a4a2488863dbc0a76a34572fdf45da8693b

SHA512
6e2f9bd7743024213b3cce00c69d8e3e7a7c89c8b264100610338a70b2fdf691d6145c169ff298a820bca29195b03289be79f482d2960467fe2e8f948ecbe5fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBC5B.tmp

Filesize
1KB

MD5
c5b06896dfe0016eafe4a65194e9826c

SHA1
24862049bb129c6b71eaa28d8978a394f0e729df

SHA256
6da00b8254edbc43b444f62ba38ad4510fba7d7626154972e3cf4a7ba87e06bc

SHA512
9592cc1a8e6c12866a9f0ac832c8763aba25cfd6615d4645cc6b27e5b2d8df6f3646aea6755023fa6a9e9d5bde080ea42d2fb751df8529e1454f2fc9a85c65cb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\14zuykxb\14zuykxb.0.cs

Filesize
364B

MD5
3b9d68c0e263f7e4de053e68e22b3e5b

SHA1
cc46274aeb6c36f3d1542aa0ba804ea56b1c8fcd

SHA256
4f1c47843600fc91f03179fa7947615a46881672dca6a648fc42cd044ccc368b

SHA512
3d1e719358b19d4dd6030d460723c2001684b996e79209dc5e435a497b2a90797e02856d245c340ad5b32052421bad156ed8031a32418d8f779498842f312d14

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\14zuykxb\14zuykxb.cmdline

Filesize
235B

MD5
27a7cc8d144e999e7c261c1a4430d32b

SHA1
bf3f74c9b3c732d9b32f69abd5437599521aebb6

SHA256
1bec1c0ab9d7e4ea78885b6bb3ae5d85d2d54169f9451e05e948dfba23506d43

SHA512
cf4a37d0175941a6d3b859712acab71e7f57e9c899a6a27666ec62b3c4971ec2ccba1c6f99007e21679da37df07915a485de78f8d8f94608363f3dab0e26d593

Download Submit
\??\c:\Windows\System32\CSCB20E0BD88FBB48B3A841B3CEF85D3E5A.TMP

Filesize
1KB

MD5
75e32610d8ef6143201c7c28465fcda9

SHA1
b2bae99fade2dda07aecbe1659d184be0fc4e7a6

SHA256
97ee1cac3965d9cc55a60f20206f384719431f19ac96bdc52b93a98de51a639b

SHA512
b303fb99586efd19a08223ba93472fa6d33fcf9198bbf42fb16ba61001db59e5fd5835ea7696ed34e4004d23fa60697e724e6085d1269d788204bf95dfe46abc

Download Submit
memory/5092-8-0x000000001BAF0000-0x000000001BB40000-memory.dmp

Filesize
320KB

Download
memory/5092-32-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

Filesize
10.8MB

Download
memory/5092-12-0x0000000002F40000-0x0000000002F4C000-memory.dmp

Filesize
48KB

Download
memory/5092-14-0x0000000002F50000-0x0000000002F5E000-memory.dmp

Filesize
56KB

Download
memory/5092-16-0x0000000002F60000-0x0000000002F68000-memory.dmp

Filesize
32KB

Download
memory/5092-17-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

Filesize
10.8MB

Download
memory/5092-19-0x0000000003100000-0x000000000310C000-memory.dmp

Filesize
48KB

Download
memory/5092-27-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

Filesize
10.8MB

Download
memory/5092-0-0x00007FFBFD203000-0x00007FFBFD205000-memory.dmp

Filesize
8KB

Download
memory/5092-10-0x00000000030A0000-0x00000000030B8000-memory.dmp

Filesize
96KB

Download
memory/5092-33-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

Filesize
10.8MB

Download
memory/5092-34-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

Filesize
10.8MB

Download
memory/5092-7-0x0000000003080000-0x000000000309C000-memory.dmp

Filesize
112KB

Download
memory/5092-5-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

Filesize
10.8MB

Download
memory/5092-4-0x0000000002F30000-0x0000000002F3E000-memory.dmp

Filesize
56KB

Download
memory/5092-2-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

Filesize
10.8MB

Download
memory/5092-47-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

Filesize
10.8MB

Download
memory/5092-53-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

Filesize
10.8MB

Download
memory/5092-1-0x0000000000E00000-0x0000000000EDC000-memory.dmp

Filesize
880KB

Download