dcrat | d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020be

Analysis

max time kernel
92s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2024 09:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
Size

1.5MB
MD5

f98b8d957e56a925bdfe1a9ed6182860
SHA1

c30bd13e13837e96f0affe38dc3603d978c20d91
SHA256

d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020be
SHA512

7766fe75347bca80d4754f1e7eebdafb134de91491e94f951b5a22ae27a62d7015f5c6c326aeb6ab65cd8f176e4f8ba355f11751b4685c5c1d60765526ed6111
SSDEEP

24576:ceaMajUi+6C+mDjn7gbkFaSH7Wu4mIWGE1Sy/fBEXTHhaTEEER71RM4I13:ceaj9bHmMbkBHVdGE1Sy/ujhaIh+1

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3700	940	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	940	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	940	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	940	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	940	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	940	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	940	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	940	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	940	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	940	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3276	940	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	940	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	940	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3760	940	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	940	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	940	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	940	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	940	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	940	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	940	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	940	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	940	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	940	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3576	940	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	940	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	940	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	940	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	940	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	940	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3596	940	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	940	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	940	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3504	940	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	940	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	940	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3264	940	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3964	940	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	940	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	940	schtasks.exe	86

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2588-1-0x0000000000F50000-0x00000000010DE000-memory.dmp	dcrat
behavioral2/files/0x0007000000023cd5-29.dat	dcrat
behavioral2/files/0x000d000000023b8a-107.dat	dcrat
behavioral2/files/0x000d000000023b8d-118.dat	dcrat
behavioral2/files/0x0013000000023b8f-154.dat	dcrat
behavioral2/files/0x000a000000023cd5-202.dat	dcrat
behavioral2/files/0x000a000000023cd1-263.dat	dcrat
behavioral2/memory/4536-266-0x0000000000C70000-0x0000000000DFE000-memory.dmp	dcrat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe

Executes dropped EXE 1 IoCs

pid	Process
4536	MusNotification.exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File created	C:\Program Files\MSBuild\Microsoft\TextInputHost.exe	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\unsecapp.exe	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\TextInputHost.exe	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\MusNotification.exe	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\RCXE369.tmp	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\RCXE784.tmp	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\unsecapp.exe	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\MusNotification.exe	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\aa97147c4c782d	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\MusNotification.exe	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\aa97147c4c782d	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\RCXDE54.tmp	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\RCXE7F2.tmp	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\RCXED84.tmp	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File created	C:\Program Files\ModifiableWindowsApps\RuntimeBroker.exe	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\spoolsv.exe	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\f3b6ecef712a24	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\RCXED73.tmp	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCXEF89.tmp	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCXEFF7.tmp	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\29c1c3cc0f7685	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File created	C:\Program Files\MSBuild\Microsoft\22eafd247d37c3	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\RCXDEC2.tmp	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\RCXE36A.tmp	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\MusNotification.exe	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\spoolsv.exe	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\RCXD9BD.tmp	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.exe	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File created	C:\Windows\PLA\Rules\wininit.exe	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File created	C:\Windows\PLA\Rules\56085415360792	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.exe	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File created	C:\Windows\ja-JP\121e5b5079f7c0	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Windows\PLA\Rules\RCXD798.tmp	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\RCXD9BC.tmp	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File created	C:\Windows\addins\Idle.exe	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\27d1bcfc3c54e0	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Windows\addins\RCXD572.tmp	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Windows\ja-JP\RCXDBD1.tmp	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Windows\ja-JP\sysmon.exe	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Windows\addins\Idle.exe	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File created	C:\Windows\addins\6ccacd8608530f	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Windows\addins\RCXD573.tmp	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Windows\ja-JP\RCXDBD2.tmp	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File created	C:\Windows\ja-JP\sysmon.exe	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Windows\PLA\Rules\RCXD788.tmp	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
File opened for modification	C:\Windows\PLA\Rules\wininit.exe	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4404	schtasks.exe
2312	schtasks.exe
4632	schtasks.exe
4860	schtasks.exe
4104	schtasks.exe
1832	schtasks.exe
3576	schtasks.exe
4828	schtasks.exe
3068	schtasks.exe
1680	schtasks.exe
2276	schtasks.exe
776	schtasks.exe
1672	schtasks.exe
4776	schtasks.exe
2996	schtasks.exe
3276	schtasks.exe
1396	schtasks.exe
3596	schtasks.exe
3504	schtasks.exe
864	schtasks.exe
1800	schtasks.exe
2156	schtasks.exe
2484	schtasks.exe
3964	schtasks.exe
4520	schtasks.exe
3760	schtasks.exe
1500	schtasks.exe
4932	schtasks.exe
4488	schtasks.exe
4528	schtasks.exe
4780	schtasks.exe
1668	schtasks.exe
3772	schtasks.exe
5088	schtasks.exe
2108	schtasks.exe
4836	schtasks.exe
3264	schtasks.exe
3700	schtasks.exe
544	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
4536	MusNotification.exe
4536	MusNotification.exe
4536	MusNotification.exe
4536	MusNotification.exe
4536	MusNotification.exe
4536	MusNotification.exe
4536	MusNotification.exe
4536	MusNotification.exe
4536	MusNotification.exe
4536	MusNotification.exe
4536	MusNotification.exe
4536	MusNotification.exe
4536	MusNotification.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
Token: SeDebugPrivilege	4536	MusNotification.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 4536	2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe	132
PID 2588 wrote to memory of 4536	2588	d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe	132

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe
"C:\Users\Admin\AppData\Local\Temp\d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020beN.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Program Files (x86)\Mozilla Maintenance Service\MusNotification.exe
  "C:\Program Files (x86)\Mozilla Maintenance Service\MusNotification.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\addins\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\addins\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\PLA\Rules\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\PLA\Rules\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\PLA\Rules\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_64\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_64\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_64\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Windows\ja-JP\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\ja-JP\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Windows\ja-JP\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Videos\MusNotification.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Users\Public\Videos\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\MusNotification.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Start Menu\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Start Menu\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\MusNotification.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Mozilla Maintenance Service\MusNotification.exe

Filesize
1.5MB

MD5
5a5d888dad4ad7c11d2418a9b49fc07a

SHA1
27bcc83f6e89b812cec6304f9fff2e6104780a7c

SHA256
52a01842ca4b6ebfdea07cd68e8a1c3143b1c586cf1da088f4c8f8e9e8952107

SHA512
da29f272eed4e95d493538415daf79a86dec6d9bf49488be72d3970e668156739b8bc68084cf8385edd77df90298cd9905599792d8200c3e2cb1adc1a8e50ce4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\unsecapp.exe

Filesize
1.5MB

MD5
f98b8d957e56a925bdfe1a9ed6182860

SHA1
c30bd13e13837e96f0affe38dc3603d978c20d91

SHA256
d4a31dc5744b566f097f20ee18f55acedec23a55117c88e3cca8d65d8f4020be

SHA512
7766fe75347bca80d4754f1e7eebdafb134de91491e94f951b5a22ae27a62d7015f5c6c326aeb6ab65cd8f176e4f8ba355f11751b4685c5c1d60765526ed6111

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\unsecapp.exe

Filesize
1.5MB

MD5
9a8d73f96da5ec67c435557576556ded

SHA1
136031c1898eaf57f0d2e12df05bc562625a04ba

SHA256
9b3760a344c1fdaa20b3f3aa26596f52ab8a27f5600107454e31578dbd43770f

SHA512
f195cfbdb7a5ec28a41f48255d138982297704d8e351ca1e29fb471cc63512560e0c8ca4a7a19a1e327c2bcc16456408c8ee0cafba7f1bd24634bfd7e8acfcd2

Download Submit
C:\Program Files\MSBuild\Microsoft\TextInputHost.exe

Filesize
1.5MB

MD5
c0144e843a57f8eb7cd2b5f47ffdf67a

SHA1
b1a3a9a76fe79e47e529cdf01caba194cf918891

SHA256
d8c40ae54b5d0cbc8b0cc6a4a075ab89e83633aa0f68cc9060a1962f3d4d8f4a

SHA512
ac063eadfd7015607faa5c28f791545459dcb80c8daa783f9add4eddca5695c5e06570f440a27862d06551871a09ea975a5f099d2654caf47e075033bd470362

Download Submit
C:\Recovery\WindowsRE\csrss.exe

Filesize
1.5MB

MD5
5f7175caa00fac1159bdabb703c38117

SHA1
34b4e240ac9bfa9e00713bdb65752c936d51a1ca

SHA256
07ca05fc74303ece5ef3a03d180f1709fe55bee2199540ce1fdc0b30dca7ed66

SHA512
ac2f18b96576aaa58b21320e017c2de1418d300a2c92e4f1b296d0c23caaca0848b626b7196107513a6248191d57a47b1b931ac2cdcbabed6b6b184c3463d937

Download Submit
C:\Users\Public\Videos\MusNotification.exe

Filesize
1.5MB

MD5
6eaabda1dcda8845de603fd9cc8c5632

SHA1
b8f0835bb45cef4b5caf49598c7ec924dd914c30

SHA256
1dda412314672b2eba97b9c33c9235ec1c84b8b9af96bad6579c4ef47b276b7c

SHA512
61488b2ae20158d8ace21282600000111aab818a1b9230a5da1754e9870208cd34f157eceb4db467b4741db605af28b840e6a2ecad5db33d4eea4509bb972fc0

Download Submit
memory/2588-7-0x000000001BE10000-0x000000001BE26000-memory.dmp

Filesize
88KB

Download
memory/2588-24-0x00007FFC37110000-0x00007FFC37BD1000-memory.dmp

Filesize
10.8MB

Download
memory/2588-0-0x00007FFC37113000-0x00007FFC37115000-memory.dmp

Filesize
8KB

Download
memory/2588-9-0x000000001BE40000-0x000000001BE48000-memory.dmp

Filesize
32KB

Download
memory/2588-12-0x000000001BEB0000-0x000000001BEBC000-memory.dmp

Filesize
48KB

Download
memory/2588-11-0x000000001BE50000-0x000000001BE58000-memory.dmp

Filesize
32KB

Download
memory/2588-15-0x000000001BEE0000-0x000000001BEEC000-memory.dmp

Filesize
48KB

Download
memory/2588-14-0x000000001BED0000-0x000000001BED8000-memory.dmp

Filesize
32KB

Download
memory/2588-13-0x000000001BEC0000-0x000000001BECE000-memory.dmp

Filesize
56KB

Download
memory/2588-16-0x000000001C400000-0x000000001C408000-memory.dmp

Filesize
32KB

Download
memory/2588-17-0x000000001C410000-0x000000001C41A000-memory.dmp

Filesize
40KB

Download
memory/2588-20-0x00007FFC37110000-0x00007FFC37BD1000-memory.dmp

Filesize
10.8MB

Download
memory/2588-21-0x00007FFC37110000-0x00007FFC37BD1000-memory.dmp

Filesize
10.8MB

Download
memory/2588-8-0x000000001BE30000-0x000000001BE40000-memory.dmp

Filesize
64KB

Download
memory/2588-5-0x0000000003250000-0x0000000003258000-memory.dmp

Filesize
32KB

Download
memory/2588-6-0x000000001BCF0000-0x000000001BD00000-memory.dmp

Filesize
64KB

Download
memory/2588-4-0x000000001BE60000-0x000000001BEB0000-memory.dmp

Filesize
320KB

Download
memory/2588-145-0x00007FFC37113000-0x00007FFC37115000-memory.dmp

Filesize
8KB

Download
memory/2588-3-0x000000001BCD0000-0x000000001BCEC000-memory.dmp

Filesize
112KB

Download
memory/2588-169-0x00007FFC37110000-0x00007FFC37BD1000-memory.dmp

Filesize
10.8MB

Download
memory/2588-170-0x00007FFC37110000-0x00007FFC37BD1000-memory.dmp

Filesize
10.8MB

Download
memory/2588-2-0x00007FFC37110000-0x00007FFC37BD1000-memory.dmp

Filesize
10.8MB

Download
memory/2588-205-0x00007FFC37110000-0x00007FFC37BD1000-memory.dmp

Filesize
10.8MB

Download
memory/2588-1-0x0000000000F50000-0x00000000010DE000-memory.dmp

Filesize
1.6MB

Download
memory/2588-267-0x00007FFC37110000-0x00007FFC37BD1000-memory.dmp

Filesize
10.8MB

Download
memory/2588-268-0x00007FFC37110000-0x00007FFC37BD1000-memory.dmp

Filesize
10.8MB

Download
memory/4536-266-0x0000000000C70000-0x0000000000DFE000-memory.dmp

Filesize
1.6MB

Download