dcrat | 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2024 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
Size

9.4MB
MD5

813b749967045532f86e6442447bcd8b
SHA1

8d0615e7f7ba672a3fc94c05a9451f9d08797af7
SHA256

0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464
SHA512

47c16f403ab33ebb9e59c7c3a053dc29d0d654174d2be9153966ad9fc873e641f34ab44c7e38fb4c6fd376b384d4e1da0dacafb384e9abb1c7eb92cb32533877
SSDEEP

24576:GYx7SFGwWG8/Ad5kybgeK8uQY2ZqR7NlaDbTxnVhv2MMLdGIhJ:IFFbK8q2ZhDbTNv2MuV

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1572-6-0x0000000000400000-0x0000000000538000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe

Executes dropped EXE 2 IoCs

pid	Process
636	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
4984	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 25 IoCs

pid	Process
2544	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
2544	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
2544	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
2544	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
2544	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
2544	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
2544	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
2544	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
2544	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
2544	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
2544	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
2544	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
2544	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
636	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
636	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
636	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
636	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
636	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
636	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
636	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
636	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
636	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
636	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
636	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
636	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2544 set thread context of 1572	2544	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	102
PID 636 set thread context of 4984	636	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	141

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\fontdrvhost.exe	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\5b884080fd4f94e2695da25c503f9e33b9605b83	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\services.exe	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\c5b4cb5e9653cce737f29f72ba880dd4c4bab27d	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
File created	C:\Program Files\Java\jdk-1.8\lib\services.exe	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\services.exe	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
File created	C:\Program Files\Java\jdk-1.8\lib\c5b4cb5e9653cce737f29f72ba880dd4c4bab27d	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\smss.exe	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\diagnostics\system\Audio\WmiPrvSE.exe	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
File created	C:\Windows\CSC\SppExtComObj.exe	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
File created	C:\Windows\it-IT\sihost.exe	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
File created	C:\Windows\it-IT\66fc9ff0ee96c2b21f0cfded48750ae9e3032bf3	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3720	2544	WerFault.exe	83
3720	636	WerFault.exe	131

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Delays execution with timeout.exe 6 IoCs

evasion

pid	Process
2216	timeout.exe
372	timeout.exe
4372	timeout.exe
2380	timeout.exe
1500	timeout.exe
2704	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2372	schtasks.exe
3784	schtasks.exe
1408	schtasks.exe
2956	schtasks.exe
2528	schtasks.exe
4052	schtasks.exe
2852	schtasks.exe
2656	schtasks.exe
212	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2544	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
2544	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
2544	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
1572	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
636	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
636	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
636	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
4984	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2544	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
Token: SeDebugPrivilege	1572	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
Token: SeDebugPrivilege	636	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
Token: SeDebugPrivilege	4984	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 3088	2544	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	86
PID 2544 wrote to memory of 3088	2544	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	86
PID 2544 wrote to memory of 3088	2544	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	86
PID 3088 wrote to memory of 2704	3088	cmd.exe	88
PID 3088 wrote to memory of 2704	3088	cmd.exe	88
PID 3088 wrote to memory of 2704	3088	cmd.exe	88
PID 2544 wrote to memory of 4132	2544	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	91
PID 2544 wrote to memory of 4132	2544	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	91
PID 2544 wrote to memory of 4132	2544	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	91
PID 4132 wrote to memory of 2216	4132	cmd.exe	93
PID 4132 wrote to memory of 2216	4132	cmd.exe	93
PID 4132 wrote to memory of 2216	4132	cmd.exe	93
PID 2544 wrote to memory of 2172	2544	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	99
PID 2544 wrote to memory of 2172	2544	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	99
PID 2544 wrote to memory of 2172	2544	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	99
PID 2172 wrote to memory of 372	2172	cmd.exe	101
PID 2172 wrote to memory of 372	2172	cmd.exe	101
PID 2172 wrote to memory of 372	2172	cmd.exe	101
PID 2544 wrote to memory of 1572	2544	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	102
PID 2544 wrote to memory of 1572	2544	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	102
PID 2544 wrote to memory of 1572	2544	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	102
PID 2544 wrote to memory of 1572	2544	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	102
PID 2544 wrote to memory of 1572	2544	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	102
PID 2544 wrote to memory of 1572	2544	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	102
PID 2544 wrote to memory of 1572	2544	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	102
PID 2544 wrote to memory of 1572	2544	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	102
PID 2544 wrote to memory of 1572	2544	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	102
PID 1572 wrote to memory of 2372	1572	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	113
PID 1572 wrote to memory of 2372	1572	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	113
PID 1572 wrote to memory of 2372	1572	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	113
PID 1572 wrote to memory of 3784	1572	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	115
PID 1572 wrote to memory of 3784	1572	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	115
PID 1572 wrote to memory of 3784	1572	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	115
PID 1572 wrote to memory of 2852	1572	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	117
PID 1572 wrote to memory of 2852	1572	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	117
PID 1572 wrote to memory of 2852	1572	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	117
PID 1572 wrote to memory of 1408	1572	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	119
PID 1572 wrote to memory of 1408	1572	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	119
PID 1572 wrote to memory of 1408	1572	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	119
PID 1572 wrote to memory of 2956	1572	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	121
PID 1572 wrote to memory of 2956	1572	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	121
PID 1572 wrote to memory of 2956	1572	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	121
PID 1572 wrote to memory of 2656	1572	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	123
PID 1572 wrote to memory of 2656	1572	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	123
PID 1572 wrote to memory of 2656	1572	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	123
PID 1572 wrote to memory of 2528	1572	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	125
PID 1572 wrote to memory of 2528	1572	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	125
PID 1572 wrote to memory of 2528	1572	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	125
PID 1572 wrote to memory of 212	1572	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	127
PID 1572 wrote to memory of 212	1572	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	127
PID 1572 wrote to memory of 212	1572	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	127
PID 1572 wrote to memory of 4052	1572	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	129
PID 1572 wrote to memory of 4052	1572	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	129
PID 1572 wrote to memory of 4052	1572	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	129
PID 1572 wrote to memory of 636	1572	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	131
PID 1572 wrote to memory of 636	1572	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	131
PID 1572 wrote to memory of 636	1572	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	131
PID 636 wrote to memory of 2588	636	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	132
PID 636 wrote to memory of 2588	636	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	132
PID 636 wrote to memory of 2588	636	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	132
PID 2588 wrote to memory of 4372	2588	cmd.exe	134
PID 2588 wrote to memory of 4372	2588	cmd.exe	134
PID 2588 wrote to memory of 4372	2588	cmd.exe	134
PID 636 wrote to memory of 2992	636	0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe	135

C:\Users\Admin\AppData\Local\Temp\0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
"C:\Users\Admin\AppData\Local\Temp\0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout 1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3088
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2704
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout 1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4132
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2216
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout 1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:372
- C:\Users\Admin\AppData\Local\Temp\0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
  "C:\Users\Admin\AppData\Local\Temp\0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe"
  2⤵
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\lib\services.exe'" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2372
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-2437139445-1151884604-3026847218-1000\dllhost.exe'" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3784
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2852
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1408
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\fontdrvhost.exe'" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2956
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\it-IT\sihost.exe'" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2656
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\services.exe'" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2528
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\PerfLogs\WmiPrvSE.exe'" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:212
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe'" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4052
- - C:\Recovery\WindowsRE\0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
    "C:\Recovery\WindowsRE\0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:636
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 1
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4372
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 1
      4⤵
      System Location Discovery: System Language Discovery
      PID:2992
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2380
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 1
      4⤵
      System Location Discovery: System Language Discovery
      PID:4012
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1500
  - - C:\Recovery\WindowsRE\0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
      "C:\Recovery\WindowsRE\0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4984
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 876
      4⤵
      Program crash
      PID:3720
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 1500
  2⤵
  - Program crash
  PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2544 -ip 2544
1⤵
PID:584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 636 -ip 636
1⤵
PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\fontdrvhost.exe

Filesize
9.4MB

MD5
813b749967045532f86e6442447bcd8b

SHA1
8d0615e7f7ba672a3fc94c05a9451f9d08797af7

SHA256
0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464

SHA512
47c16f403ab33ebb9e59c7c3a053dc29d0d654174d2be9153966ad9fc873e641f34ab44c7e38fb4c6fd376b384d4e1da0dacafb384e9abb1c7eb92cb32533877

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe.log

Filesize
1KB

MD5
f3bfc02ce6af9df415d3a7582b4b7bb1

SHA1
a47b22d560e1bcc3f5f3048b7727aa36c6459a56

SHA256
eb536b383e1132aa536f8c4ee4a1615dffb1d997498f467cb295525f8677b1b7

SHA512
5e12b008241e114972b3ea6b774096a13b81cb104fb44f78f77df9897dc1e2ffa7da35beef32f1ba62ca3f547d7432078bfab133d7fc753e747591dcb0ea294b

Download Submit
memory/1572-6-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1572-7-0x0000000005D10000-0x0000000005D76000-memory.dmp

Filesize
408KB

Download
memory/1572-9-0x0000000006B00000-0x0000000006B92000-memory.dmp

Filesize
584KB

Download
memory/2544-0-0x0000000074D5E000-0x0000000074D5F000-memory.dmp

Filesize
4KB

Download
memory/2544-1-0x00000000008D0000-0x000000000122C000-memory.dmp

Filesize
9.4MB

Download
memory/2544-2-0x0000000005BD0000-0x0000000005C6C000-memory.dmp

Filesize
624KB

Download
memory/2544-3-0x00000000080F0000-0x0000000008236000-memory.dmp

Filesize
1.3MB

Download
memory/2544-4-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/2544-5-0x000000000B6A0000-0x000000000BC44000-memory.dmp

Filesize
5.6MB

Download
memory/2544-8-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download