dcrat | 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9

Analysis

max time kernel
43s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10/11/2024, 02:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Size

426KB
MD5

2d94c0a9c700f4a1552a1e2fe2cd33e2
SHA1

7dfe6f390ea59bc8d53431cd3a4756c109e201ee
SHA256

352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9
SHA512

4add372efa87a762a63c528699b84ce3f0ad4f4f4966fb58a721d92a9d5e1f2acc49e8e406c89a25ba1698cb1ceb0714e9b63109ba3a26b24ee696096ce855f4
SSDEEP

12288:mDLfHXFL+Kfcos8Us9s4R1d4j7nwlmyAgn/fT:mtyUAQnR+7wlmy7/7

Score

10^/10

dcrat discovery infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\Idle.exe\", \"C:\\Users\\All Users\\Microsoft\\NetFramework\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Windows\\LiveKernelReports\\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe\", \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\System.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\Idle.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\Idle.exe\", \"C:\\Users\\All Users\\Microsoft\\NetFramework\\taskhost.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\Idle.exe\", \"C:\\Users\\All Users\\Microsoft\\NetFramework\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\services.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\Idle.exe\", \"C:\\Users\\All Users\\Microsoft\\NetFramework\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Windows\\LiveKernelReports\\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\Idle.exe\", \"C:\\Users\\All Users\\Microsoft\\NetFramework\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Windows\\LiveKernelReports\\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe\", \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\System.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	2684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2684	schtasks.exe	30

DCRat payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/2372-2-0x000000001A910000-0x000000001A9E2000-memory.dmp	family_dcrat_v2
behavioral1/memory/1300-52-0x0000000000350000-0x0000000000422000-memory.dmp	family_dcrat_v2

Executes dropped EXE 1 IoCs

pid	Process
1300	System.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Cursors\\Idle.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\services.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\services.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9 = "\"C:\\Windows\\LiveKernelReports\\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Cursors\\Idle.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\All Users\\Microsoft\\NetFramework\\taskhost.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\All Users\\Microsoft\\NetFramework\\taskhost.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9 = "\"C:\\Windows\\LiveKernelReports\\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\System.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\System.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC3AE5F8C2D85B4E82BB357E62DDA3A06A.TMP	csc.exe
File created	\??\c:\Windows\System32\qmeprf.exe	csc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Cursors\Idle.exe	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
File created	C:\Windows\Cursors\6ccacd8608530f	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
File created	C:\Windows\LiveKernelReports\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
File created	C:\Windows\LiveKernelReports\05c13b4fa42a45	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2160	schtasks.exe
2540	schtasks.exe
2596	schtasks.exe
3036	schtasks.exe
1916	schtasks.exe
2824	schtasks.exe
2140	schtasks.exe
3024	schtasks.exe
3012	schtasks.exe
1996	schtasks.exe
1176	schtasks.exe
2004	schtasks.exe
1696	schtasks.exe
2332	schtasks.exe
2388	schtasks.exe
2944	schtasks.exe
2856	schtasks.exe
2172	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Token: SeDebugPrivilege	1300	System.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 3016	2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe	34
PID 2372 wrote to memory of 3016	2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe	34
PID 2372 wrote to memory of 3016	2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe	34
PID 3016 wrote to memory of 408	3016	csc.exe	36
PID 3016 wrote to memory of 408	3016	csc.exe	36
PID 3016 wrote to memory of 408	3016	csc.exe	36
PID 2372 wrote to memory of 1956	2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe	52
PID 2372 wrote to memory of 1956	2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe	52
PID 2372 wrote to memory of 1956	2372	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe	52
PID 1956 wrote to memory of 552	1956	cmd.exe	54
PID 1956 wrote to memory of 552	1956	cmd.exe	54
PID 1956 wrote to memory of 552	1956	cmd.exe	54
PID 1956 wrote to memory of 2384	1956	cmd.exe	55
PID 1956 wrote to memory of 2384	1956	cmd.exe	55
PID 1956 wrote to memory of 2384	1956	cmd.exe	55
PID 1956 wrote to memory of 1300	1956	cmd.exe	56
PID 1956 wrote to memory of 1300	1956	cmd.exe	56
PID 1956 wrote to memory of 1300	1956	cmd.exe	56

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
"C:\Users\Admin\AppData\Local\Temp\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uc1qgtoe\uc1qgtoe.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6365.tmp" "c:\Windows\System32\CSC3AE5F8C2D85B4E82BB357E62DDA3A06A.TMP"
    3⤵
    PID:408
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OSn3E3ruTQ.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:552
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2384
- - C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe
    "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\Cursors\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Cursors\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\Cursors\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft\NetFramework\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\NetFramework\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Microsoft\NetFramework\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e93" /sc MINUTE /mo 14 /tr "'C:\Windows\LiveKernelReports\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e93" /sc MINUTE /mo 10 /tr "'C:\Windows\LiveKernelReports\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e93" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e93" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OSn3E3ruTQ.bat

Filesize
235B

MD5
7f1841ba3fc417f5fe473a3cec2c3d76

SHA1
e53710d05d1a0a3dab862b1f7bea299f5172b486

SHA256
6ba3e8472bd55425a57e4f6a5828a170e2986455dd26aefaa2e157de2859a442

SHA512
7d65089b93abadb8024688b86f23513889f3c8ede53ab1b1bdbce30be768aca0448f3a4c8a2ea8f3b2a2c9d5e3b7ae6e1eb97e405c43ef890095198fa05d79b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6365.tmp

Filesize
1KB

MD5
8347086cfff2251bb59840ef1f4cdf30

SHA1
c4dc73d7188fe71f609e50fedb0ea259ff080552

SHA256
1131eb5bdc4df349d69caf8973326f4b5e90f86cd6f944010ddf77c99740803a

SHA512
bce852fff175ae8437b8779173566a0450e1222599cee1e6f2ca08b04a3bfab48469f395812817a54d9f02720f033f00e2b542c6ebf5d85a75451b378c94bc10

Download Submit
C:\Windows\Cursors\Idle.exe

Filesize
426KB

MD5
2d94c0a9c700f4a1552a1e2fe2cd33e2

SHA1
7dfe6f390ea59bc8d53431cd3a4756c109e201ee

SHA256
352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9

SHA512
4add372efa87a762a63c528699b84ce3f0ad4f4f4966fb58a721d92a9d5e1f2acc49e8e406c89a25ba1698cb1ceb0714e9b63109ba3a26b24ee696096ce855f4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uc1qgtoe\uc1qgtoe.0.cs

Filesize
359B

MD5
94ebcfe7e05e51b51c5fa85aca101042

SHA1
9dd2b8fa038d2effafc0d4617d8a44a92179919b

SHA256
7f1fe4a12b944fc8489c87695df7610482560e5eeb32e147606437d59c7ea837

SHA512
08c538caa08315b6e17af3942f7d28e03a5125b565148996deb53dabba3fee9a4264a248eee01869677fc0a3f1cd1c3fbf5f5ff46ba5f7c1f6f4285d0268fa27

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uc1qgtoe\uc1qgtoe.cmdline

Filesize
235B

MD5
7e248075bc610811bf284a9da695faf1

SHA1
6d5e86d9d87b737a448ef63b2122304fe8195513

SHA256
d7566da0dbe0aa2da39e62425ff7ba4165bff149887b8588b34e17528a0f214c

SHA512
f371871908970e02ba8329b737d30ba18b3230a53eab403918e156c0055cccd5c2f03d5bf6378c85ddb1d5542305f05c64b4645d37bdc6798f7ef9f25ef361a9

Download Submit
\??\c:\Windows\System32\CSC3AE5F8C2D85B4E82BB357E62DDA3A06A.TMP

Filesize
1KB

MD5
167c870490dc33ec13a83ebb533b1bf6

SHA1
182378ebfa7c8372a988dee50a7dd6f8cda6a367

SHA256
3f742a374ad5a8da8fba9dfea27c7382dde145d46732cfc0002a53a1311df5e6

SHA512
1b48bb5f270f5d99d9dd98cd9da5866aed9377957d92bf1d686878522c438b38a444073c1a0ed4cc85f97315d2ef6abf05b74ab2265fecb20be5795b2ccef64e

Download Submit
memory/1300-52-0x0000000000350000-0x0000000000422000-memory.dmp

Filesize
840KB

Download
memory/1300-51-0x0000000000280000-0x0000000000288000-memory.dmp

Filesize
32KB

Download
memory/2372-7-0x0000000000320000-0x000000000033C000-memory.dmp

Filesize
112KB

Download
memory/2372-10-0x0000000000340000-0x0000000000358000-memory.dmp

Filesize
96KB

Download
memory/2372-16-0x0000000000310000-0x000000000031C000-memory.dmp

Filesize
48KB

Download
memory/2372-18-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

Filesize
9.9MB

Download
memory/2372-14-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

Filesize
9.9MB

Download
memory/2372-19-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

Filesize
9.9MB

Download
memory/2372-13-0x0000000000300000-0x000000000030E000-memory.dmp

Filesize
56KB

Download
memory/2372-17-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

Filesize
9.9MB

Download
memory/2372-11-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

Filesize
9.9MB

Download
memory/2372-0-0x000007FEF5DB3000-0x000007FEF5DB4000-memory.dmp

Filesize
4KB

Download
memory/2372-8-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

Filesize
9.9MB

Download
memory/2372-5-0x00000000002F0000-0x00000000002FE000-memory.dmp

Filesize
56KB

Download
memory/2372-3-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

Filesize
9.9MB

Download
memory/2372-48-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

Filesize
9.9MB

Download
memory/2372-2-0x000000001A910000-0x000000001A9E2000-memory.dmp

Filesize
840KB

Download
memory/2372-1-0x0000000000D20000-0x0000000000D28000-memory.dmp

Filesize
32KB

Download