Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07-11-2024 19:35
Behavioral task
behavioral1
Sample
097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe
Resource
win7-20240903-en
windows7-x64
18 signatures
150 seconds
Behavioral task
behavioral2
Sample
097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
18 signatures
150 seconds
General
-
Target
097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe
-
Size
952KB
-
MD5
80fd1427a8a08ad8f16a5a091d3080d5
-
SHA1
16e6e7fdec42cdb1216c1ec28a3760135f6b5e1f
-
SHA256
097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de
-
SHA512
8f321556d6b2cc8a5605e928534d29034587de4af47df149153fa9f636c56afb730a55a1ad01f491d531c4315bc31aefadd09462257478416636b9aba8672612
-
SSDEEP
24576:W+O7F9smBDJwWmIezBLwsHuWbxR4AK5ZJXX:x8/KfRTK
Score
10/10
Malware Config
Signatures
-
DcRat 23 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription ioc pid Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\regedit\\explorer.exe\"" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe 2780 schtasks.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\winlogon.exe\"" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\winlogon.exe\", \"C:\\Windows\\regedit\\explorer.exe\", \"C:\\Windows\\System32\\api-ms-win-core-heap-l1-1-0\\winlogon.exe\"" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\api-ms-win-core-heap-l1-1-0\\winlogon.exe\"" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\winlogon.exe\", \"C:\\Windows\\regedit\\explorer.exe\"" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\PerfLogs\\Admin\\csrss.exe\"" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe 1168 schtasks.exe 1428 schtasks.exe 752 schtasks.exe 576 schtasks.exe 2776 schtasks.exe 2588 schtasks.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\api-ms-win-core-heap-l1-1-0\\winlogon.exe\"" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\PerfLogs\\Admin\\csrss.exe\"" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\winlogon.exe\", \"C:\\Windows\\regedit\\explorer.exe\", \"C:\\Windows\\System32\\api-ms-win-core-heap-l1-1-0\\winlogon.exe\", \"C:\\PerfLogs\\Admin\\csrss.exe\"" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Documents and Settings\\winlogon.exe\"" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe 2428 schtasks.exe 2860 schtasks.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\regedit\\explorer.exe\"" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe 2296 schtasks.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Documents and Settings\\winlogon.exe\"" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe -
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 10 IoCs
Processes:
097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\winlogon.exe\"" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\winlogon.exe\", \"C:\\Windows\\regedit\\explorer.exe\"" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\winlogon.exe\", \"C:\\Windows\\regedit\\explorer.exe\", \"C:\\Windows\\System32\\api-ms-win-core-heap-l1-1-0\\winlogon.exe\", \"C:\\PerfLogs\\Admin\\csrss.exe\"" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\winlogon.exe\", \"C:\\Windows\\regedit\\explorer.exe\", \"C:\\Windows\\System32\\api-ms-win-core-heap-l1-1-0\\winlogon.exe\", \"C:\\PerfLogs\\Admin\\csrss.exe\", \"C:\\Windows\\System32\\wbem\\mstscax\\WmiPrvSE.exe\"" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\winlogon.exe\", \"C:\\Windows\\regedit\\explorer.exe\", \"C:\\Windows\\System32\\api-ms-win-core-heap-l1-1-0\\winlogon.exe\", \"C:\\PerfLogs\\Admin\\csrss.exe\", \"C:\\Windows\\System32\\wbem\\mstscax\\WmiPrvSE.exe\", \"C:\\Windows\\System32\\wbem\\drvinst\\WmiPrvSE.exe\", \"C:\\Windows\\System32\\mmcico\\csrss.exe\", \"C:\\ProgramData\\Microsoft\\MSDN\\csrss.exe\", \"C:\\Windows\\System32\\pcl\\smss.exe\"" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\winlogon.exe\", \"C:\\Windows\\regedit\\explorer.exe\", \"C:\\Windows\\System32\\api-ms-win-core-heap-l1-1-0\\winlogon.exe\"" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\winlogon.exe\", \"C:\\Windows\\regedit\\explorer.exe\", \"C:\\Windows\\System32\\api-ms-win-core-heap-l1-1-0\\winlogon.exe\", \"C:\\PerfLogs\\Admin\\csrss.exe\", \"C:\\Windows\\System32\\wbem\\mstscax\\WmiPrvSE.exe\", \"C:\\Windows\\System32\\wbem\\drvinst\\WmiPrvSE.exe\"" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\winlogon.exe\", \"C:\\Windows\\regedit\\explorer.exe\", \"C:\\Windows\\System32\\api-ms-win-core-heap-l1-1-0\\winlogon.exe\", \"C:\\PerfLogs\\Admin\\csrss.exe\", \"C:\\Windows\\System32\\wbem\\mstscax\\WmiPrvSE.exe\", \"C:\\Windows\\System32\\wbem\\drvinst\\WmiPrvSE.exe\", \"C:\\Windows\\System32\\mmcico\\csrss.exe\"" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\winlogon.exe\", \"C:\\Windows\\regedit\\explorer.exe\", \"C:\\Windows\\System32\\api-ms-win-core-heap-l1-1-0\\winlogon.exe\", \"C:\\PerfLogs\\Admin\\csrss.exe\", \"C:\\Windows\\System32\\wbem\\mstscax\\WmiPrvSE.exe\", \"C:\\Windows\\System32\\wbem\\drvinst\\WmiPrvSE.exe\", \"C:\\Windows\\System32\\mmcico\\csrss.exe\", \"C:\\ProgramData\\Microsoft\\MSDN\\csrss.exe\"" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\winlogon.exe\", \"C:\\Windows\\regedit\\explorer.exe\", \"C:\\Windows\\System32\\api-ms-win-core-heap-l1-1-0\\winlogon.exe\", \"C:\\PerfLogs\\Admin\\csrss.exe\", \"C:\\Windows\\System32\\wbem\\mstscax\\WmiPrvSE.exe\", \"C:\\Windows\\System32\\wbem\\drvinst\\WmiPrvSE.exe\", \"C:\\Windows\\System32\\mmcico\\csrss.exe\", \"C:\\ProgramData\\Microsoft\\MSDN\\csrss.exe\", \"C:\\Windows\\System32\\pcl\\smss.exe\", \"C:\\Windows\\System32\\licmgr10\\csrss.exe\"" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe -
Process spawned unexpected child process 10 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2296 984 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 984 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 984 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 984 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1168 984 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1428 984 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 752 984 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 576 984 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 984 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 984 schtasks.exe 30 -
Processes:
097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exeWmiPrvSE.exe097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe -
Processes:
resource yara_rule behavioral1/memory/2960-1-0x0000000001040000-0x0000000001134000-memory.dmp dcrat behavioral1/files/0x0015000000018663-23.dat dcrat behavioral1/files/0x0016000000018663-33.dat dcrat behavioral1/files/0x0009000000016d36-67.dat dcrat behavioral1/memory/1668-78-0x00000000002D0000-0x00000000003C4000-memory.dmp dcrat behavioral1/memory/1292-109-0x0000000000F70000-0x0000000001064000-memory.dmp dcrat -
Executes dropped EXE 2 IoCs
Processes:
097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exeWmiPrvSE.exepid Process 1668 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe 1292 WmiPrvSE.exe -
Adds Run key to start application 2 TTPs 20 IoCs
Processes:
097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Documents and Settings\\winlogon.exe\"" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\regedit\\explorer.exe\"" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\regedit\\explorer.exe\"" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\licmgr10\\csrss.exe\"" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\pcl\\smss.exe\"" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\api-ms-win-core-heap-l1-1-0\\winlogon.exe\"" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\mmcico\\csrss.exe\"" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\ProgramData\\Microsoft\\MSDN\\csrss.exe\"" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\pcl\\smss.exe\"" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\drvinst\\WmiPrvSE.exe\"" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\mmcico\\csrss.exe\"" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\ProgramData\\Microsoft\\MSDN\\csrss.exe\"" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Documents and Settings\\winlogon.exe\"" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\api-ms-win-core-heap-l1-1-0\\winlogon.exe\"" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\mstscax\\WmiPrvSE.exe\"" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\mstscax\\WmiPrvSE.exe\"" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\PerfLogs\\Admin\\csrss.exe\"" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\PerfLogs\\Admin\\csrss.exe\"" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\drvinst\\WmiPrvSE.exe\"" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\licmgr10\\csrss.exe\"" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe -
Processes:
097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exeWmiPrvSE.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe -
Drops file in System32 directory 20 IoCs
Processes:
097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exedescription ioc Process File created C:\Windows\System32\mmcico\886983d96e3d3e31032c679b2d4ea91b6c05afef 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe File created C:\Windows\System32\pcl\69ddcba757bf72f7d36c464c71f42baab150b2b9 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe File opened for modification C:\Windows\System32\mmcico\csrss.exe 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe File created C:\Windows\System32\wbem\drvinst\WmiPrvSE.exe 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe File opened for modification C:\Windows\System32\api-ms-win-core-heap-l1-1-0\winlogon.exe 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe File opened for modification C:\Windows\System32\wbem\mstscax\WmiPrvSE.exe 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe File opened for modification C:\Windows\System32\api-ms-win-core-heap-l1-1-0\RCXC652.tmp 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe File created C:\Windows\System32\mmcico\csrss.exe 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe File created C:\Windows\System32\licmgr10\886983d96e3d3e31032c679b2d4ea91b6c05afef 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe File opened for modification C:\Windows\System32\wbem\drvinst\WmiPrvSE.exe 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe File created C:\Windows\System32\wbem\mstscax\WmiPrvSE.exe 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe File created C:\Windows\System32\api-ms-win-core-heap-l1-1-0\cc11b995f2a76da408ea6a601e682e64743153ad 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe File opened for modification C:\Windows\System32\api-ms-win-core-heap-l1-1-0\RCXC651.tmp 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe File created C:\Windows\System32\wbem\mstscax\24dbde2999530ef5fd907494bc374d663924116c 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe File created C:\Windows\System32\wbem\drvinst\24dbde2999530ef5fd907494bc374d663924116c 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe File created C:\Windows\System32\pcl\smss.exe 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe File created C:\Windows\System32\licmgr10\csrss.exe 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe File opened for modification C:\Windows\System32\pcl\smss.exe 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe File created C:\Windows\System32\api-ms-win-core-heap-l1-1-0\winlogon.exe 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe File opened for modification C:\Windows\System32\licmgr10\csrss.exe 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe -
Drops file in Windows directory 5 IoCs
Processes:
097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exedescription ioc Process File opened for modification C:\Windows\regedit\RCXC44D.tmp 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe File opened for modification C:\Windows\regedit\RCXC44E.tmp 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe File opened for modification C:\Windows\regedit\explorer.exe 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe File created C:\Windows\regedit\explorer.exe 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe File created C:\Windows\regedit\7a0fd90576e08807bde2cc57bcf9854bbce05fe3 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid Process 2776 schtasks.exe 1428 schtasks.exe 576 schtasks.exe 2860 schtasks.exe 2296 schtasks.exe 2780 schtasks.exe 2588 schtasks.exe 1168 schtasks.exe 752 schtasks.exe 2428 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exepid Process 2960 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe 2960 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe 2960 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe 2960 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe 2960 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe 1668 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe 1668 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe 1668 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe 1668 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe 1668 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe 1668 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe 1668 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exeWmiPrvSE.exedescription pid Process Token: SeDebugPrivilege 2960 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Token: SeDebugPrivilege 1668 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Token: SeDebugPrivilege 1292 WmiPrvSE.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.execmd.exe097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exedescription pid Process procid_target PID 2960 wrote to memory of 2024 2960 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe 35 PID 2960 wrote to memory of 2024 2960 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe 35 PID 2960 wrote to memory of 2024 2960 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe 35 PID 2024 wrote to memory of 2324 2024 cmd.exe 37 PID 2024 wrote to memory of 2324 2024 cmd.exe 37 PID 2024 wrote to memory of 2324 2024 cmd.exe 37 PID 2024 wrote to memory of 1668 2024 cmd.exe 39 PID 2024 wrote to memory of 1668 2024 cmd.exe 39 PID 2024 wrote to memory of 1668 2024 cmd.exe 39 PID 1668 wrote to memory of 1292 1668 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe 46 PID 1668 wrote to memory of 1292 1668 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe 46 PID 1668 wrote to memory of 1292 1668 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe 46 -
System policy modification 1 TTPs 9 IoCs
Processes:
WmiPrvSE.exe097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe"C:\Users\Admin\AppData\Local\Temp\097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe"1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2960 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wPTDzgIrIb.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2324
-
-
C:\Users\Admin\AppData\Local\Temp\097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe"C:\Users\Admin\AppData\Local\Temp\097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1668 -
C:\Windows\System32\wbem\drvinst\WmiPrvSE.exe"C:\Windows\System32\wbem\drvinst\WmiPrvSE.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1292
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Documents and Settings\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\regedit\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\api-ms-win-core-heap-l1-1-0\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\PerfLogs\Admin\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\mstscax\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\drvinst\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\mmcico\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\ProgramData\Microsoft\MSDN\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\pcl\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\licmgr10\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
952KB
MD556c429a460be829c28d0b4cdc116f5a4
SHA1c1ee48b33d9467330d50897cfd03b2ba7fc73621
SHA25616cb1376d639951a3e07d29d4460938cd150a1ca112e1ab2dd6bba17624676fd
SHA512ce004abd9b9b0191231f422b7e391bc34829c714f97591748ac10e4df7a9a79c72a896a3c43d98612afa22d955bf540e6e236a36fd2bf16d91c89195449f6a46
-
Filesize
952KB
MD580fd1427a8a08ad8f16a5a091d3080d5
SHA116e6e7fdec42cdb1216c1ec28a3760135f6b5e1f
SHA256097054f17509ff1370a6954f8d69c873d8013a9d8439cc623545d583f4b263de
SHA5128f321556d6b2cc8a5605e928534d29034587de4af47df149153fa9f636c56afb730a55a1ad01f491d531c4315bc31aefadd09462257478416636b9aba8672612
-
Filesize
266B
MD5b9dc6ea612c272746c76599a5e6b4f15
SHA1b69daf2651dd732f5e9b591c232e694e71954352
SHA2563da50f0aa28cf904cd4f0cfa0dfdb51f72c748952bb5f12ecabec95d89edd6ed
SHA512a1ff95bb0b705a265434f404d439cbe8a40cfe2f6acb9688876d99d2407546f32769ba17e3cfa1af5bd10dc872e27ea483f7b060e7b1fccec4e0e17cab4555a1
-
Filesize
952KB
MD5b2b09be11b1e02501eb9a78929c9e696
SHA1e0e8f5cb53d4c1c7e68cef1f95435b4ebcc44430
SHA256f4560495ba26acad5353697aa9af4df723ee717da9d528e60087c74ea6297f5f
SHA5120bb8f7ad127014cd5e175585313a63a0c66b8b9c4f8ca0ec51b84da5110b3a244e4affb4a535439719e14d24d144e454de005300b1ea9eeea8ec7e6c96d0b7e2