dcrat | 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9

Analysis

max time kernel
94s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/11/2024, 02:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Size

426KB
MD5

2d94c0a9c700f4a1552a1e2fe2cd33e2
SHA1

7dfe6f390ea59bc8d53431cd3a4756c109e201ee
SHA256

352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9
SHA512

4add372efa87a762a63c528699b84ce3f0ad4f4f4966fb58a721d92a9d5e1f2acc49e8e406c89a25ba1698cb1ceb0714e9b63109ba3a26b24ee696096ce855f4
SSDEEP

12288:mDLfHXFL+Kfcos8Us9s4R1d4j7nwlmyAgn/fT:mtyUAQnR+7wlmy7/7

Score

10^/10

dcrat discovery infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Logs\\MeasuredBoot\\dllhost.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Logs\\MeasuredBoot\\dllhost.exe\", \"C:\\Windows\\L2Schemas\\RuntimeBroker.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Logs\\MeasuredBoot\\dllhost.exe\", \"C:\\Windows\\L2Schemas\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Logs\\MeasuredBoot\\dllhost.exe\", \"C:\\Windows\\L2Schemas\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe\", \"C:\\Users\\All Users\\dllhost.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Logs\\MeasuredBoot\\dllhost.exe\", \"C:\\Windows\\L2Schemas\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe\", \"C:\\Users\\All Users\\dllhost.exe\", \"C:\\Users\\All Users\\SearchApp.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Logs\\MeasuredBoot\\dllhost.exe\", \"C:\\Windows\\L2Schemas\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe\", \"C:\\Users\\All Users\\dllhost.exe\", \"C:\\Users\\All Users\\SearchApp.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	1892	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	1892	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	1892	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3272	1892	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	424	1892	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	1892	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	1892	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	1892	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3100	1892	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	1892	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	1892	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	1892	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	1892	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	1892	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	1892	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3444	1892	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	1892	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	1892	schtasks.exe	86

DCRat payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/3928-2-0x000000001B1F0000-0x000000001B2C2000-memory.dmp	family_dcrat_v2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9 = "\"C:\\Recovery\\WindowsRE\\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\All Users\\dllhost.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Logs\\MeasuredBoot\\dllhost.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Logs\\MeasuredBoot\\dllhost.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\L2Schemas\\RuntimeBroker.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Users\\All Users\\SearchApp.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Users\\All Users\\SearchApp.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\L2Schemas\\RuntimeBroker.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9 = "\"C:\\Recovery\\WindowsRE\\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\All Users\\dllhost.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCB0AE3E9F33284698B4D191D8387CF435.TMP	csc.exe
File created	\??\c:\Windows\System32\s_kgxh.exe	csc.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\RuntimeBroker.exe	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Logs\MeasuredBoot\dllhost.exe	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
File created	C:\Windows\Logs\MeasuredBoot\5940a34987c991	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
File created	C:\Windows\Boot\Misc\unsecapp.exe	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
File created	C:\Windows\L2Schemas\RuntimeBroker.exe	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
File created	C:\Windows\L2Schemas\9e8d7a4ca61bd9	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3548	PING.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3548	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1124	schtasks.exe
3272	schtasks.exe
424	schtasks.exe
4384	schtasks.exe
5052	schtasks.exe
1484	schtasks.exe
1680	schtasks.exe
2012	schtasks.exe
2888	schtasks.exe
3100	schtasks.exe
432	schtasks.exe
2220	schtasks.exe
2856	schtasks.exe
4780	schtasks.exe
1608	schtasks.exe
2556	schtasks.exe
3444	schtasks.exe
2780	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Token: SeDebugPrivilege	2136	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3928 wrote to memory of 5060	3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe	90
PID 3928 wrote to memory of 5060	3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe	90
PID 5060 wrote to memory of 3996	5060	csc.exe	92
PID 5060 wrote to memory of 3996	5060	csc.exe	92
PID 3928 wrote to memory of 4508	3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe	108
PID 3928 wrote to memory of 4508	3928	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe	108
PID 4508 wrote to memory of 2420	4508	cmd.exe	110
PID 4508 wrote to memory of 2420	4508	cmd.exe	110
PID 4508 wrote to memory of 3548	4508	cmd.exe	111
PID 4508 wrote to memory of 3548	4508	cmd.exe	111
PID 4508 wrote to memory of 2136	4508	cmd.exe	118
PID 4508 wrote to memory of 2136	4508	cmd.exe	118

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
"C:\Users\Admin\AppData\Local\Temp\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gccqn2m3\gccqn2m3.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC91C.tmp" "c:\Windows\System32\CSCB0AE3E9F33284698B4D191D8387CF435.TMP"
    3⤵
    PID:3996
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x4qHnTjOml.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4508
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2420
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3548
- - C:\Users\Admin\AppData\Local\Temp\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
    "C:\Users\Admin\AppData\Local\Temp\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\Logs\MeasuredBoot\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Logs\MeasuredBoot\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Logs\MeasuredBoot\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\L2Schemas\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\L2Schemas\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\L2Schemas\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e93" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e93" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\All Users\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e93" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e93" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe.log

Filesize
1KB

MD5
23e95ec462ffa2c6ca8cab1cb8724ab1

SHA1
ee3f5e815831cf925c4f00195cc8f336b6112862

SHA256
c6ed38229b96cfb59e61de06854a1a99a9d6c3285a6b8511a7b60d64caa6979c

SHA512
b92242ea8d3dbcd3de11725995c22f0a747b820cfff7cf44217589289621bdc2a25bb4db0e1f385bd6bc84c15d893fa5dad544e6bab89f072ccb822cd8bd08dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC91C.tmp

Filesize
1KB

MD5
a115d6f4c1daa757697d18aa20562bd2

SHA1
d16b7129bb686260ca4733ca1605807bc809953e

SHA256
fb9dcbf1588269c6c6f877d9ed43e2f7270e61463b4c27f8aecdcbab3f293801

SHA512
49d0bea14e7c15e095d1b2bf75785262ca4f9f420eda8a5bfbbd0fbe6801f4ef5a1bf7f5cd22fb2dde4b757626426fd348e5e282f7e212f0fb241322b031aa13

Download Submit
C:\Users\Admin\AppData\Local\Temp\x4qHnTjOml.bat

Filesize
230B

MD5
34d70294649285c2086fbf06c3cdf8bb

SHA1
7114425ab7cd5c761dbd7f4dbd629f56cb1217ec

SHA256
931a2d54a1c9ee3707ad8d885c45f448854a4a747b6611020c4e352ce9fb68d9

SHA512
93936126ea63f95bfa091c83cfbe5e8e9586436a979b516d19ca3ab98bda387709ae76d2a49c5cb859426d853e7815e523bd453d8b375a032b10efd7fe9b1f09

Download Submit
C:\Windows\Logs\MeasuredBoot\dllhost.exe

Filesize
426KB

MD5
2d94c0a9c700f4a1552a1e2fe2cd33e2

SHA1
7dfe6f390ea59bc8d53431cd3a4756c109e201ee

SHA256
352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9

SHA512
4add372efa87a762a63c528699b84ce3f0ad4f4f4966fb58a721d92a9d5e1f2acc49e8e406c89a25ba1698cb1ceb0714e9b63109ba3a26b24ee696096ce855f4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gccqn2m3\gccqn2m3.0.cs

Filesize
372B

MD5
9c7c2ddad9008cfcaf92b54224f089cf

SHA1
1569c2929aa544804202c86573f232721c8f00c4

SHA256
7b511eefd74f2a41261cb1ed0d383e31ccbe2ecebd8501775bb777387211f517

SHA512
50b1510918b4ce14da8249f53a93deefffe5af55f9ff4d7017d73daab6ef8da9d95ee003f1536a30b37bce71cb3c2d173c4481404c55cffc075a48a1a36dd29e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gccqn2m3\gccqn2m3.cmdline

Filesize
235B

MD5
9fa80976acb755e8aa2ba2540cc9f118

SHA1
1a50b1ab292b3a1399bd15cbede23558aee376d3

SHA256
7a02ec62d1d3247ea985743e41aa681193f5ffad817279df6a5be87b7c8d1664

SHA512
7d8517b6f3d4c3b7d411401c0df49731154f4107ea1783b3ce23819529721d87f49290e4c84ccafac28a00a2f429e0ef00b49dabeec2e3444a0400078a1b19ba

Download Submit
\??\c:\Windows\System32\CSCB0AE3E9F33284698B4D191D8387CF435.TMP

Filesize
1KB

MD5
634e281a00b7b9f516c3048badfa1530

SHA1
af6369715ce2fe9b99609e470d4f66698880a35a

SHA256
0d990336ae793f3f6903048004c8d707d7a7191927bd7df46b7fe887116506c8

SHA512
1cb35fa0759f5362c9c7eee5546710874121005a3924bcfec2cf33ac90a257a807ce7ec0db7bc84dcb327604d708009449c34f52560ed936b54eeba49be7d27b

Download Submit
memory/3928-13-0x0000000000F40000-0x0000000000F4E000-memory.dmp

Filesize
56KB

Download
memory/3928-29-0x00007FFB5BBD0000-0x00007FFB5C691000-memory.dmp

Filesize
10.8MB

Download
memory/3928-15-0x0000000000F50000-0x0000000000F5C000-memory.dmp

Filesize
48KB

Download
memory/3928-0-0x00007FFB5BBD3000-0x00007FFB5BBD5000-memory.dmp

Filesize
8KB

Download
memory/3928-16-0x00007FFB5BBD0000-0x00007FFB5C691000-memory.dmp

Filesize
10.8MB

Download
memory/3928-11-0x0000000002830000-0x0000000002848000-memory.dmp

Filesize
96KB

Download
memory/3928-28-0x00007FFB5BBD0000-0x00007FFB5C691000-memory.dmp

Filesize
10.8MB

Download
memory/3928-9-0x000000001B170000-0x000000001B1C0000-memory.dmp

Filesize
320KB

Download
memory/3928-30-0x00007FFB5BBD0000-0x00007FFB5C691000-memory.dmp

Filesize
10.8MB

Download
memory/3928-8-0x00007FFB5BBD0000-0x00007FFB5C691000-memory.dmp

Filesize
10.8MB

Download
memory/3928-7-0x0000000000F60000-0x0000000000F7C000-memory.dmp

Filesize
112KB

Download
memory/3928-5-0x0000000000F20000-0x0000000000F2E000-memory.dmp

Filesize
56KB

Download
memory/3928-3-0x00007FFB5BBD0000-0x00007FFB5C691000-memory.dmp

Filesize
10.8MB

Download
memory/3928-48-0x00007FFB5BBD0000-0x00007FFB5C691000-memory.dmp

Filesize
10.8MB

Download
memory/3928-2-0x000000001B1F0000-0x000000001B2C2000-memory.dmp

Filesize
840KB

Download
memory/3928-1-0x0000000000660000-0x0000000000668000-memory.dmp

Filesize
32KB

Download