dcrat | 8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366

Analysis

max time kernel
134s
max time network
156s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-11-2024 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
Size

1.6MB
MD5

477db3de46b7779b63495a8bdb279f2c
SHA1

77dc3f7d83728294c49298db82dd0e668adc3a73
SHA256

8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366
SHA512

4ac940fa7ce3c8a2a646639a5b00c5c8a1dcafcfba460782068446a321455cf5af10e1e6ae4e6753150beab7d2431a7c38192787b32c4e508b73f4b3ac843956
SSDEEP

24576:/KEYWAa5pLMzdFGZWWs5cRtb6kMgmrmtXVdaNjTXf3qtzdzkkJj6:/p1JAz5cjb6k4cFdaNjTXfa/

Score

10^/10

dcrat discovery execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Speech\\Engines\\Lexicon\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\Idle.exe\", \"C:\\Program Files\\Windows Defender\\fr-FR\\services.exe\""	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Speech\\Engines\\Lexicon\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\Idle.exe\", \"C:\\Program Files\\Windows Defender\\fr-FR\\services.exe\", \"C:\\Windows\\SchCache\\wininit.exe\""	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Speech\\Engines\\Lexicon\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\Idle.exe\", \"C:\\Program Files\\Windows Defender\\fr-FR\\services.exe\", \"C:\\Windows\\SchCache\\wininit.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\csrss.exe\""	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Speech\\Engines\\Lexicon\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\Idle.exe\", \"C:\\Program Files\\Windows Defender\\fr-FR\\services.exe\", \"C:\\Windows\\SchCache\\wininit.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\csrss.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe\""	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Speech\\Engines\\Lexicon\\Idle.exe\""	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Speech\\Engines\\Lexicon\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\Idle.exe\""	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2864	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2864	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2864	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2864	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2864	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2864	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2864	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2864	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2864	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2864	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	2864	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2864	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2864	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2864	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2864	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	2864	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2864	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2864	schtasks.exe	31

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1920	powershell.exe
2856	powershell.exe
1348	powershell.exe
2712	powershell.exe
1096	powershell.exe
2928	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2996	wininit.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Windows Defender\\fr-FR\\services.exe\""	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Windows Defender\\fr-FR\\services.exe\""	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\SchCache\\wininit.exe\""	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Reference Assemblies\\csrss.exe\""	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe\""	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe\""	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Speech\\Engines\\Lexicon\\Idle.exe\""	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Speech\\Engines\\Lexicon\\Idle.exe\""	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\SchCache\\wininit.exe\""	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Reference Assemblies\\csrss.exe\""	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\Idle.exe\""	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\Idle.exe\""	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC88F7A304C57E463CBA3DC0F5B0C45920.TMP	csc.exe
File created	\??\c:\Windows\System32\qmeprf.exe	csc.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\csrss.exe	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\csrss.exe	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
File created	C:\Program Files (x86)\Reference Assemblies\886983d96e3d3e	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
File created	C:\Program Files\Windows Defender\fr-FR\services.exe	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
File created	C:\Program Files\Windows Defender\fr-FR\c5b4cb5e9653cc	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SchCache\wininit.exe	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
File created	C:\Windows\SchCache\56085415360792	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
File created	C:\Windows\Speech\Engines\Lexicon\Idle.exe	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
File created	C:\Windows\Speech\Engines\Lexicon\6ccacd8608530f	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
568	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
568	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2836	schtasks.exe
1924	schtasks.exe
2676	schtasks.exe
1960	schtasks.exe
3044	schtasks.exe
1792	schtasks.exe
1624	schtasks.exe
1740	schtasks.exe
2960	schtasks.exe
1788	schtasks.exe
1844	schtasks.exe
1976	schtasks.exe
2876	schtasks.exe
1576	schtasks.exe
1420	schtasks.exe
1708	schtasks.exe
860	schtasks.exe
2776	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
1348	powershell.exe
2928	powershell.exe
2856	powershell.exe
1096	powershell.exe
1920	powershell.exe
2712	powershell.exe
2996	wininit.exe
2996	wininit.exe
2996	wininit.exe
2996	wininit.exe
2996	wininit.exe
2996	wininit.exe
2996	wininit.exe
2996	wininit.exe
2996	wininit.exe
2996	wininit.exe
2996	wininit.exe
2996	wininit.exe
2996	wininit.exe
2996	wininit.exe
2996	wininit.exe
2996	wininit.exe
2996	wininit.exe
2996	wininit.exe
2996	wininit.exe
2996	wininit.exe
2996	wininit.exe
2996	wininit.exe
2996	wininit.exe
2996	wininit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2996	wininit.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
Token: SeDebugPrivilege	1348	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	2996	wininit.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2640	2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe	35
PID 2068 wrote to memory of 2640	2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe	35
PID 2068 wrote to memory of 2640	2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe	35
PID 2640 wrote to memory of 2408	2640	csc.exe	37
PID 2640 wrote to memory of 2408	2640	csc.exe	37
PID 2640 wrote to memory of 2408	2640	csc.exe	37
PID 2068 wrote to memory of 1920	2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe	53
PID 2068 wrote to memory of 1920	2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe	53
PID 2068 wrote to memory of 1920	2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe	53
PID 2068 wrote to memory of 1348	2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe	54
PID 2068 wrote to memory of 1348	2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe	54
PID 2068 wrote to memory of 1348	2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe	54
PID 2068 wrote to memory of 2856	2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe	55
PID 2068 wrote to memory of 2856	2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe	55
PID 2068 wrote to memory of 2856	2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe	55
PID 2068 wrote to memory of 2712	2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe	56
PID 2068 wrote to memory of 2712	2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe	56
PID 2068 wrote to memory of 2712	2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe	56
PID 2068 wrote to memory of 1096	2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe	57
PID 2068 wrote to memory of 1096	2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe	57
PID 2068 wrote to memory of 1096	2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe	57
PID 2068 wrote to memory of 2928	2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe	58
PID 2068 wrote to memory of 2928	2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe	58
PID 2068 wrote to memory of 2928	2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe	58
PID 2068 wrote to memory of 2920	2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe	62
PID 2068 wrote to memory of 2920	2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe	62
PID 2068 wrote to memory of 2920	2068	8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe	62
PID 2920 wrote to memory of 2848	2920	cmd.exe	67
PID 2920 wrote to memory of 2848	2920	cmd.exe	67
PID 2920 wrote to memory of 2848	2920	cmd.exe	67
PID 2920 wrote to memory of 568	2920	cmd.exe	68
PID 2920 wrote to memory of 568	2920	cmd.exe	68
PID 2920 wrote to memory of 568	2920	cmd.exe	68
PID 2920 wrote to memory of 2996	2920	cmd.exe	69
PID 2920 wrote to memory of 2996	2920	cmd.exe	69
PID 2920 wrote to memory of 2996	2920	cmd.exe	69

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe
"C:\Users\Admin\AppData\Local\Temp\8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gptodn3j\gptodn3j.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE485.tmp" "c:\Windows\System32\CSC88F7A304C57E463CBA3DC0F5B0C45920.TMP"
    3⤵
    PID:2408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech\Engines\Lexicon\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\fr-FR\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9wT7yzjOuV.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2848
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:568
- - C:\Windows\SchCache\wininit.exe
    "C:\Windows\SchCache\wininit.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\Speech\Engines\Lexicon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Speech\Engines\Lexicon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\Speech\Engines\Lexicon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\fr-FR\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\fr-FR\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\SchCache\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\SchCache\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\SchCache\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e563668" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e563668" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9wT7yzjOuV.bat

Filesize
159B

MD5
7f6b14a50c3195cdd21596b183a348ff

SHA1
9b4a004fe3749526c9c610580e7462aab78f9459

SHA256
c90ae89bf17849b7ad891da1698747e262a22fb85a37bbc8f56209b7683ea2f1

SHA512
e8e20f213304c8ec0e52e7c3ca533de5db7475ff6be041317bde412c29816d827c8b17a1b575597476b8a2050dbbc17804158d9449b3e4ffa39e959a03b3c16f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE485.tmp

Filesize
1KB

MD5
e4bed3c396bf7ba5caea1600c5a93991

SHA1
99752477c2bcd79d8117e38b053e4a58c00f97ac

SHA256
a2557642b68c6dfda57a76a6263693fe5079806baf4ffedee59747f6e33a9276

SHA512
bc88f74cf3593e9b043f157eeb89012f116d4f231ac211ae720c3e5d023e0ebb1b96ebf04d94a44743e50cbdf4f07cff492b78cc0d24961f2a329b37190f5010

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
11e84ba7a5052a198038464279b40473

SHA1
d17bdb0970374a61a0e9c6d7880a254306137870

SHA256
cfa423dc8162b89b251d543df5c0cad6327979fc08912242368d10709e72385f

SHA512
98c936646de5fa6c4868ba29fb77ecd983a88b54a2b44ab1f9db25f19aa40f8af7edd76d2239b8a6a37a5686ee99f8230918387d898ef13b91a36575d95dcf58

Download Submit
C:\Windows\Speech\Engines\Lexicon\Idle.exe

Filesize
1.6MB

MD5
477db3de46b7779b63495a8bdb279f2c

SHA1
77dc3f7d83728294c49298db82dd0e668adc3a73

SHA256
8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366

SHA512
4ac940fa7ce3c8a2a646639a5b00c5c8a1dcafcfba460782068446a321455cf5af10e1e6ae4e6753150beab7d2431a7c38192787b32c4e508b73f4b3ac843956

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gptodn3j\gptodn3j.0.cs

Filesize
374B

MD5
24c65b02cb80da07ab2bea9a9f10a2af

SHA1
57bbe0ef06b4106100903677592cee10c36422d0

SHA256
ad1fd785cafcdf11042894046bbbd9925ea6b066300098182726342164d02979

SHA512
1938133a60aae60998ca3f89a6afac372683ec194c88ae74df91839129b909e232fd3bb60cc3a9732e178d8009b02effa905147dbbbbab99a3f275b4db6e8a5d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gptodn3j\gptodn3j.cmdline

Filesize
235B

MD5
9d0208783d4946881a9d745b349ddc3e

SHA1
df9eeed39e7be9c7c72a2e64b1f64d85e2224f40

SHA256
774e50e036980960919e07dff4b15f27fba0d578c565ff6048cb67a36f5aec0f

SHA512
83c75be3a1ec58c7c310ee66bdf1e63fc154dc7bd0c762a162ea5df18dd88f0f14e0068a576a3b41261fa43b581b2cb91f04deb9b8b904c27be56eff9b905363

Download Submit
\??\c:\Windows\System32\CSC88F7A304C57E463CBA3DC0F5B0C45920.TMP

Filesize
1KB

MD5
167c870490dc33ec13a83ebb533b1bf6

SHA1
182378ebfa7c8372a988dee50a7dd6f8cda6a367

SHA256
3f742a374ad5a8da8fba9dfea27c7382dde145d46732cfc0002a53a1311df5e6

SHA512
1b48bb5f270f5d99d9dd98cd9da5866aed9377957d92bf1d686878522c438b38a444073c1a0ed4cc85f97315d2ef6abf05b74ab2265fecb20be5795b2ccef64e

Download Submit
memory/1096-60-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/1348-59-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2068-6-0x00000000006C0000-0x00000000006CE000-memory.dmp

Filesize
56KB

Download
memory/2068-22-0x000007FEF5520000-0x000007FEF5F0C000-memory.dmp

Filesize
9.9MB

Download
memory/2068-16-0x000007FEF5520000-0x000007FEF5F0C000-memory.dmp

Filesize
9.9MB

Download
memory/2068-9-0x000007FEF5520000-0x000007FEF5F0C000-memory.dmp

Filesize
9.9MB

Download
memory/2068-8-0x00000000006D0000-0x00000000006DC000-memory.dmp

Filesize
48KB

Download
memory/2068-0-0x000007FEF5523000-0x000007FEF5524000-memory.dmp

Filesize
4KB

Download
memory/2068-4-0x000007FEF5520000-0x000007FEF5F0C000-memory.dmp

Filesize
9.9MB

Download
memory/2068-3-0x000007FEF5520000-0x000007FEF5F0C000-memory.dmp

Filesize
9.9MB

Download
memory/2068-2-0x000007FEF5520000-0x000007FEF5F0C000-memory.dmp

Filesize
9.9MB

Download
memory/2068-66-0x000007FEF5520000-0x000007FEF5F0C000-memory.dmp

Filesize
9.9MB

Download
memory/2068-1-0x0000000000270000-0x000000000041A000-memory.dmp

Filesize
1.7MB

Download
memory/2996-74-0x0000000000A80000-0x0000000000C2A000-memory.dmp

Filesize
1.7MB

Download