dcrat | b1d43056050ebf9e4698475c07022fb3c6e39d721abaf32d459d5bf50ed1b515

Analysis

max time kernel
125s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-11-2024 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7dd8afbb49ae5a087a23e98931557da2.exe
Size

827KB
MD5

7dd8afbb49ae5a087a23e98931557da2
SHA1

925549dc8d4b1f21905d6430796b88c795648ed2
SHA256

b1d43056050ebf9e4698475c07022fb3c6e39d721abaf32d459d5bf50ed1b515
SHA512

4e64d47e0c0b452546054a00491c60137ec9f4373554bda5a8e4099e803a9829e98bf130d2bec9cae9bc21eff41fc24487f50993e3316f2230c82eb08c5f9edb
SSDEEP

12288:H9nfsdPp5UPYBf4HFrsulbCAx2Qg8UcYps8CNfhfG7Ik2Q:H9fjPYBCFrPlb59Us8CDfQIk2Q

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 54 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

pid	Process
3012	schtasks.exe
908	schtasks.exe
2032	schtasks.exe
956	schtasks.exe
2512	schtasks.exe
2296	schtasks.exe
2856	schtasks.exe
1856	schtasks.exe
1628	schtasks.exe
1328	schtasks.exe
2324	schtasks.exe
2008	schtasks.exe
1648	schtasks.exe
2272	schtasks.exe
2732	schtasks.exe
3044	schtasks.exe
2052	schtasks.exe
2528	schtasks.exe
1720	schtasks.exe
1160	schtasks.exe
1660	schtasks.exe
3060	schtasks.exe
704	schtasks.exe
940	schtasks.exe
2552	schtasks.exe
968	schtasks.exe
2608	schtasks.exe
3032	schtasks.exe
292	schtasks.exe
2800	schtasks.exe
976	schtasks.exe
2240	schtasks.exe
1052	schtasks.exe
1576	schtasks.exe
2440	schtasks.exe
2900	schtasks.exe
1912	schtasks.exe
2556	schtasks.exe
2380	schtasks.exe
2432	schtasks.exe
2108	schtasks.exe
780	schtasks.exe
2648	schtasks.exe
2888	schtasks.exe
2220	schtasks.exe
576	schtasks.exe
2824	schtasks.exe
2916	schtasks.exe
1596	schtasks.exe
2252	schtasks.exe
888	schtasks.exe
2128	schtasks.exe
2468	schtasks.exe
2312	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 18 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Program Files\\Uninstall Information\\spoolsv.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Program Files\\Uninstall Information\\spoolsv.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\OSPPSVC.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Program Files\\Uninstall Information\\spoolsv.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\services.exe\", \"C:\\Program Files\\Windows Photo Viewer\\taskhost.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\OSPPSVC.exe\", \"C:\\Users\\Public\\Favorites\\WmiPrvSE.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\explorer.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Program Files\\Uninstall Information\\spoolsv.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\services.exe\", \"C:\\Program Files\\Windows Photo Viewer\\taskhost.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\OSPPSVC.exe\", \"C:\\Users\\Public\\Favorites\\WmiPrvSE.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\OSPPSVC.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Program Files\\Uninstall Information\\spoolsv.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\services.exe\", \"C:\\Program Files\\Windows Photo Viewer\\taskhost.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\OSPPSVC.exe\", \"C:\\Users\\Public\\Favorites\\WmiPrvSE.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\OSPPSVC.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\WmiPrvSE.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\sppsvc.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\smss.exe\", \"C:\\Windows\\de-DE\\audiodg.exe\", \"C:\\Windows\\security\\templates\\taskhost.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Program Files\\Uninstall Information\\spoolsv.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\services.exe\", \"C:\\Program Files\\Windows Photo Viewer\\taskhost.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\OSPPSVC.exe\", \"C:\\Users\\Public\\Favorites\\WmiPrvSE.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\OSPPSVC.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\WmiPrvSE.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\sppsvc.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\smss.exe\", \"C:\\Windows\\de-DE\\audiodg.exe\", \"C:\\Windows\\security\\templates\\taskhost.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\lsm.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\audiodg.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Program Files\\Uninstall Information\\spoolsv.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Program Files\\Uninstall Information\\spoolsv.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\services.exe\", \"C:\\Program Files\\Windows Photo Viewer\\taskhost.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\OSPPSVC.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Program Files\\Uninstall Information\\spoolsv.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\services.exe\", \"C:\\Program Files\\Windows Photo Viewer\\taskhost.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\OSPPSVC.exe\", \"C:\\Users\\Public\\Favorites\\WmiPrvSE.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\OSPPSVC.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\WmiPrvSE.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\sppsvc.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\smss.exe\", \"C:\\Windows\\de-DE\\audiodg.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Program Files\\Uninstall Information\\spoolsv.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\services.exe\", \"C:\\Program Files\\Windows Photo Viewer\\taskhost.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\OSPPSVC.exe\", \"C:\\Users\\Public\\Favorites\\WmiPrvSE.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\OSPPSVC.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\WmiPrvSE.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\sppsvc.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\smss.exe\", \"C:\\Windows\\de-DE\\audiodg.exe\", \"C:\\Windows\\security\\templates\\taskhost.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\lsm.exe\", \"C:\\Program Files\\Java\\jre7\\lib\\wininit.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Program Files\\Uninstall Information\\spoolsv.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\services.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Program Files\\Uninstall Information\\spoolsv.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\services.exe\", \"C:\\Program Files\\Windows Photo Viewer\\taskhost.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\OSPPSVC.exe\", \"C:\\Users\\Public\\Favorites\\WmiPrvSE.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Program Files\\Uninstall Information\\spoolsv.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\services.exe\", \"C:\\Program Files\\Windows Photo Viewer\\taskhost.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\OSPPSVC.exe\", \"C:\\Users\\Public\\Favorites\\WmiPrvSE.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\csrss.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Program Files\\Uninstall Information\\spoolsv.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\services.exe\", \"C:\\Program Files\\Windows Photo Viewer\\taskhost.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\OSPPSVC.exe\", \"C:\\Users\\Public\\Favorites\\WmiPrvSE.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\OSPPSVC.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\WmiPrvSE.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\sppsvc.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\smss.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Program Files\\Uninstall Information\\spoolsv.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\services.exe\", \"C:\\Program Files\\Windows Photo Viewer\\taskhost.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Program Files\\Uninstall Information\\spoolsv.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\services.exe\", \"C:\\Program Files\\Windows Photo Viewer\\taskhost.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\OSPPSVC.exe\", \"C:\\Users\\Public\\Favorites\\WmiPrvSE.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\OSPPSVC.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\WmiPrvSE.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Program Files\\Uninstall Information\\spoolsv.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\services.exe\", \"C:\\Program Files\\Windows Photo Viewer\\taskhost.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\OSPPSVC.exe\", \"C:\\Users\\Public\\Favorites\\WmiPrvSE.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\OSPPSVC.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\WmiPrvSE.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\sppsvc.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	292	2340	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2340	schtasks.exe	30

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2116-1-0x0000000000040000-0x0000000000116000-memory.dmp	dcrat
behavioral1/files/0x0006000000018669-11.dat	dcrat
behavioral1/memory/1488-47-0x00000000002D0000-0x00000000003A6000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
1488	OSPPSVC.exe

Adds Run key to start application 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Users\\Public\\Favorites\\WmiPrvSE.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\csrss.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\sppsvc.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\OSPPSVC.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\lsm.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Java\\jre7\\lib\\wininit.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\Default User\\audiodg.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Users\\Public\\Favorites\\WmiPrvSE.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\OSPPSVC.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\Windows Photo Viewer\\taskhost.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\csrss.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\explorer.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\WmiPrvSE.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\de-DE\\audiodg.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Uninstall Information\\spoolsv.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\OSPPSVC.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\WmiPrvSE.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\sppsvc.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\de-DE\\audiodg.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Uninstall Information\\spoolsv.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\OSPPSVC.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\services.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\Default User\\audiodg.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\explorer.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\security\\templates\\taskhost.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\security\\templates\\taskhost.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\services.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\smss.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\smss.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\Windows Photo Viewer\\taskhost.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\lsm.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Java\\jre7\\lib\\wininit.exe\""	7dd8afbb49ae5a087a23e98931557da2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
5	pastebin.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Uninstall Information\f3b6ecef712a24	7dd8afbb49ae5a087a23e98931557da2.exe
File created	C:\Program Files\Windows Photo Viewer\taskhost.exe	7dd8afbb49ae5a087a23e98931557da2.exe
File created	C:\Program Files\Windows Photo Viewer\b75386f1303e64	7dd8afbb49ae5a087a23e98931557da2.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\csrss.exe	7dd8afbb49ae5a087a23e98931557da2.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\886983d96e3d3e	7dd8afbb49ae5a087a23e98931557da2.exe
File created	C:\Program Files\Java\jre7\lib\wininit.exe	7dd8afbb49ae5a087a23e98931557da2.exe
File created	C:\Program Files\Java\jre7\lib\56085415360792	7dd8afbb49ae5a087a23e98931557da2.exe
File created	C:\Program Files\Uninstall Information\spoolsv.exe	7dd8afbb49ae5a087a23e98931557da2.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\de-DE\audiodg.exe	7dd8afbb49ae5a087a23e98931557da2.exe
File created	C:\Windows\de-DE\42af1c969fbb7b	7dd8afbb49ae5a087a23e98931557da2.exe
File created	C:\Windows\security\templates\taskhost.exe	7dd8afbb49ae5a087a23e98931557da2.exe
File created	C:\Windows\security\templates\b75386f1303e64	7dd8afbb49ae5a087a23e98931557da2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2272	schtasks.exe
2900	schtasks.exe
3044	schtasks.exe
1160	schtasks.exe
2008	schtasks.exe
780	schtasks.exe
2856	schtasks.exe
2252	schtasks.exe
976	schtasks.exe
940	schtasks.exe
3060	schtasks.exe
2380	schtasks.exe
2468	schtasks.exe
2128	schtasks.exe
2032	schtasks.exe
2296	schtasks.exe
1660	schtasks.exe
2528	schtasks.exe
292	schtasks.exe
2512	schtasks.exe
1648	schtasks.exe
1596	schtasks.exe
3012	schtasks.exe
2220	schtasks.exe
2108	schtasks.exe
1576	schtasks.exe
704	schtasks.exe
2888	schtasks.exe
1720	schtasks.exe
2052	schtasks.exe
2552	schtasks.exe
2800	schtasks.exe
2824	schtasks.exe
2440	schtasks.exe
3032	schtasks.exe
1912	schtasks.exe
576	schtasks.exe
1856	schtasks.exe
2916	schtasks.exe
2324	schtasks.exe
2732	schtasks.exe
2312	schtasks.exe
2556	schtasks.exe
968	schtasks.exe
888	schtasks.exe
2432	schtasks.exe
908	schtasks.exe
2240	schtasks.exe
956	schtasks.exe
2608	schtasks.exe
1628	schtasks.exe
1328	schtasks.exe
2648	schtasks.exe
1052	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2116	7dd8afbb49ae5a087a23e98931557da2.exe
1488	OSPPSVC.exe
1488	OSPPSVC.exe
1488	OSPPSVC.exe
1488	OSPPSVC.exe
1488	OSPPSVC.exe
1488	OSPPSVC.exe
1488	OSPPSVC.exe
1488	OSPPSVC.exe
1488	OSPPSVC.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1488	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2116	7dd8afbb49ae5a087a23e98931557da2.exe
Token: SeDebugPrivilege	1488	OSPPSVC.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 884	2116	7dd8afbb49ae5a087a23e98931557da2.exe	86
PID 2116 wrote to memory of 884	2116	7dd8afbb49ae5a087a23e98931557da2.exe	86
PID 2116 wrote to memory of 884	2116	7dd8afbb49ae5a087a23e98931557da2.exe	86
PID 884 wrote to memory of 1588	884	cmd.exe	88
PID 884 wrote to memory of 1588	884	cmd.exe	88
PID 884 wrote to memory of 1588	884	cmd.exe	88
PID 884 wrote to memory of 1488	884	cmd.exe	89
PID 884 wrote to memory of 1488	884	cmd.exe	89
PID 884 wrote to memory of 1488	884	cmd.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7dd8afbb49ae5a087a23e98931557da2.exe
"C:\Users\Admin\AppData\Local\Temp\7dd8afbb49ae5a087a23e98931557da2.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Cs9AbqBBxW.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:884
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1588
- - C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\OSPPSVC.exe
    "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\OSPPSVC.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Favorites\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Favorites\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Favorites\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\de-DE\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Windows\de-DE\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Windows\security\templates\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\security\templates\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Windows\security\templates\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre7\lib\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\lib\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jre7\lib\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe

Filesize
827KB

MD5
7dd8afbb49ae5a087a23e98931557da2

SHA1
925549dc8d4b1f21905d6430796b88c795648ed2

SHA256
b1d43056050ebf9e4698475c07022fb3c6e39d721abaf32d459d5bf50ed1b515

SHA512
4e64d47e0c0b452546054a00491c60137ec9f4373554bda5a8e4099e803a9829e98bf130d2bec9cae9bc21eff41fc24487f50993e3316f2230c82eb08c5f9edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cs9AbqBBxW.bat

Filesize
225B

MD5
a68371367117f899f6df7439c3ae21b1

SHA1
49c39b1b84c1387bda3db28c334aa215456adb54

SHA256
ffd2bfe4faec951d4e6267d6424521e5e0d5650e818c7ddcfcf8aa678865c9b7

SHA512
d15173b0c071f5bac3ea27584e3f02b97e38cdc16545cc6b75bb0cc326536688ba2b2fbff020c6eb3765e957ef704f612558e196405f3f8a30ae3f7791013ab4

Download Submit
memory/1488-47-0x00000000002D0000-0x00000000003A6000-memory.dmp

Filesize
856KB

Download
memory/2116-0-0x000007FEF55B3000-0x000007FEF55B4000-memory.dmp

Filesize
4KB

Download
memory/2116-1-0x0000000000040000-0x0000000000116000-memory.dmp

Filesize
856KB

Download
memory/2116-2-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

Filesize
9.9MB

Download
memory/2116-44-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

Filesize
9.9MB

Download