dcrat | 5ab7d1d71590cd6e8e280f575c34d589a85bfcec5e469d2c87eb2ee1d844e170

Analysis

max time kernel
132s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-11-2024 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Size

427KB
MD5

7f846323072bb436b75c33cd7fe40bfd
SHA1

391872ddfa1aeb8451af41e40d8341453112e601
SHA256

5ab7d1d71590cd6e8e280f575c34d589a85bfcec5e469d2c87eb2ee1d844e170
SHA512

4a795ae6e26332b73d1b5f88e67eb89ede1f55205fa86417d374a1b94fc81ddb6bb02dcb222bfb4367ffffbb666bbf28d389b4298b2c649aed7b877b96a12ec1
SSDEEP

12288:mDLfHXFL+Kfcos8Us9s4R1d4j7nwlmyAgn/fV:mtyUAQnR+7wlmy7/t

Score

10^/10

dcrat discovery infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\sppsvc.exe\", \"C:\\Program Files\\Windows Mail\\it-IT\\csrss.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\sppsvc.exe\", \"C:\\Program Files\\Windows Mail\\it-IT\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\csrss.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\sppsvc.exe\", \"C:\\Program Files\\Windows Mail\\it-IT\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Users\\Admin\\Pictures\\Idle.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\sppsvc.exe\", \"C:\\Program Files\\Windows Mail\\it-IT\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Users\\Admin\\Pictures\\Idle.exe\", \"C:\\Users\\Public\\Libraries\\System.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\sppsvc.exe\", \"C:\\Program Files\\Windows Mail\\it-IT\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Users\\Admin\\Pictures\\Idle.exe\", \"C:\\Users\\Public\\Libraries\\System.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\sppsvc.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2108	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2108	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2108	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2108	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2108	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2108	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2108	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	2108	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2108	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2108	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2108	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2108	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2108	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2108	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2108	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	2108	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2108	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2108	schtasks.exe	30

DCRat payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2104-2-0x00000000008F0000-0x00000000009C2000-memory.dmp	family_dcrat_v2
behavioral1/memory/2432-52-0x000000001AB30000-0x000000001AC02000-memory.dmp	family_dcrat_v2

Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid	Process
2432	csrss.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Mail\\it-IT\\csrss.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\csrss.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Admin\\Pictures\\Idle.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Public\\Libraries\\System.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows NT\\sppsvc.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows NT\\sppsvc.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Mail\\it-IT\\csrss.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\csrss.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Admin\\Pictures\\Idle.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Public\\Libraries\\System.exe\""	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	Process
File created	\??\c:\Windows\System32\CSCB15189C8B4A342309B9DDFAC62D22FF.TMP	csc.exe
File created	\??\c:\Windows\System32\gxbog2.exe	csc.exe

Drops file in Program Files directory 4 IoCs

Processes:

352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe

description	ioc	Process
File created	C:\Program Files\Windows Mail\it-IT\csrss.exe	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
File created	C:\Program Files\Windows Mail\it-IT\886983d96e3d3e	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
File created	C:\Program Files\Windows NT\sppsvc.exe	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
File created	C:\Program Files\Windows NT\0a1fd5f707cd16	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe

Drops file in Windows directory 1 IoCs

Processes:

352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe

description	ioc	Process
File created	C:\Windows\Speech\Common\csrss.exe	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2328	schtasks.exe
1504	schtasks.exe
2020	schtasks.exe
2728	schtasks.exe
3024	schtasks.exe
2612	schtasks.exe
1256	schtasks.exe
1952	schtasks.exe
2944	schtasks.exe
2668	schtasks.exe
3008	schtasks.exe
2524	schtasks.exe
1992	schtasks.exe
1388	schtasks.exe
1684	schtasks.exe
2904	schtasks.exe
2804	schtasks.exe
2120	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe

pid	Process
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

csrss.exe

pid	Process
2432	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.execsrss.exe

description	pid	Process
Token: SeDebugPrivilege	2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Token: SeDebugPrivilege	2432	csrss.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.execsc.execmd.exe

description	pid	Process	procid_target
PID 2104 wrote to memory of 2212	2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe	34
PID 2104 wrote to memory of 2212	2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe	34
PID 2104 wrote to memory of 2212	2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe	34
PID 2212 wrote to memory of 2768	2212	csc.exe	37
PID 2212 wrote to memory of 2768	2212	csc.exe	37
PID 2212 wrote to memory of 2768	2212	csc.exe	37
PID 2104 wrote to memory of 1008	2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe	53
PID 2104 wrote to memory of 1008	2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe	53
PID 2104 wrote to memory of 1008	2104	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe	53
PID 1008 wrote to memory of 1080	1008	cmd.exe	55
PID 1008 wrote to memory of 1080	1008	cmd.exe	55
PID 1008 wrote to memory of 1080	1008	cmd.exe	55
PID 1008 wrote to memory of 1688	1008	cmd.exe	56
PID 1008 wrote to memory of 1688	1008	cmd.exe	56
PID 1008 wrote to memory of 1688	1008	cmd.exe	56
PID 1008 wrote to memory of 2432	1008	cmd.exe	57
PID 1008 wrote to memory of 2432	1008	cmd.exe	57
PID 1008 wrote to memory of 2432	1008	cmd.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
"C:\Users\Admin\AppData\Local\Temp\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tz1nxn4t\tz1nxn4t.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA61.tmp" "c:\Windows\System32\CSCB15189C8B4A342309B9DDFAC62D22FF.TMP"
    3⤵
    PID:2768
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hswCiqt5p0.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1080
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1688
- - C:\Program Files\Windows Mail\it-IT\csrss.exe
    "C:\Program Files\Windows Mail\it-IT\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows NT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\it-IT\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Pictures\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Pictures\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Libraries\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Libraries\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e93" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e93" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows NT\sppsvc.exe

Filesize
427KB

MD5
7f846323072bb436b75c33cd7fe40bfd

SHA1
391872ddfa1aeb8451af41e40d8341453112e601

SHA256
5ab7d1d71590cd6e8e280f575c34d589a85bfcec5e469d2c87eb2ee1d844e170

SHA512
4a795ae6e26332b73d1b5f88e67eb89ede1f55205fa86417d374a1b94fc81ddb6bb02dcb222bfb4367ffffbb666bbf28d389b4298b2c649aed7b877b96a12ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCA61.tmp

Filesize
1KB

MD5
9bc50b316d1946261c757b0f7c7da120

SHA1
7d5f59f8b38d2c0c3c96fe8fcecef58e1daee89e

SHA256
a86baf2574725d58abfb918ea2537b663645bf2e55ee72c2d28c6ff891f7a6da

SHA512
30aa66841679cdbe69d86680f1874a549f24958f92d113a1f0ea4ce49ae1672a76d296a58659cd8067336c5247f50feb83c24e0c4351c18e6797131a46f8c34e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hswCiqt5p0.bat

Filesize
221B

MD5
4296d19f1a329bf2b724e8a4ade3455e

SHA1
0e5b1201e6630e8ef984594ad55d5c7e3e8470f6

SHA256
7addf0556be8711cb927ac5b716892dd8994286d77aa40ac098ff82f8622c216

SHA512
a2912308754922f00fe938412362b0b63b5c61e511e0811e553adab9abd271c02a541cec9a1a909792c168c1300a3f3e2d061f089e170016d48013880bd365a1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tz1nxn4t\tz1nxn4t.0.cs

Filesize
370B

MD5
53e934055068d9083925e7ec8580e2c4

SHA1
77b9294ae8b419bcaa2ae9ccbdb616b0c23e598a

SHA256
82ced0750a86e9fff5b250885d9eb91b822832dbccc431214e5331630bc2be9b

SHA512
b88cd9e55ac7ca83e5187c3d45f51d6aba781b691c770c84887b17465f30e5210bb9245844a9c94710a07aae3d9dd9788ad82a9b2854f3e17f336f829cfbf250

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tz1nxn4t\tz1nxn4t.cmdline

Filesize
235B

MD5
d61440ff94395a56abc2c516a00188f3

SHA1
dbc086b1998731496896648a81b25436c9c0a82d

SHA256
eb3b7438571ddad01ff1a73e6f18ddf988dabe60633566cb74ca894202ae8a61

SHA512
2de62d2e497ede75ec6bee08993adabe33c938e878afb77968663ab25be05d06b20c240469d186b4e5b33f26363cf48445d8ec7b1c3bfd468d82c47691a10ff7

Download Submit
\??\c:\Windows\System32\CSCB15189C8B4A342309B9DDFAC62D22FF.TMP

Filesize
1KB

MD5
dbb2cd021b80875d9c777c705ef845c8

SHA1
3ed0cde3b4f4d8267c3cddd37dd4ede100b5ecce

SHA256
a4d8c8c391bc1975510bdea24653db0f578d998dead4ce7f8a85eb8fbb3ec829

SHA512
a8076e4d1b1641e189d2066050809ce0cce557e23c110fba77c2cfb7448b5915252b2e2f4d3443f708941277b947b951cfba6c191980a09b8c7710589c766c8e

Download Submit
memory/2104-9-0x0000000000440000-0x0000000000458000-memory.dmp

Filesize
96KB

Download
memory/2104-30-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2104-12-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2104-14-0x0000000000410000-0x000000000041C000-memory.dmp

Filesize
48KB

Download
memory/2104-15-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2104-0-0x000007FEF5573000-0x000007FEF5574000-memory.dmp

Filesize
4KB

Download
memory/2104-27-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2104-28-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2104-29-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2104-11-0x00000000003F0000-0x00000000003FE000-memory.dmp

Filesize
56KB

Download
memory/2104-7-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/2104-5-0x00000000003C0000-0x00000000003CE000-memory.dmp

Filesize
56KB

Download
memory/2104-3-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2104-2-0x00000000008F0000-0x00000000009C2000-memory.dmp

Filesize
840KB

Download
memory/2104-47-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2104-1-0x00000000009C0000-0x00000000009C8000-memory.dmp

Filesize
32KB

Download
memory/2432-51-0x0000000001370000-0x0000000001378000-memory.dmp

Filesize
32KB

Download
memory/2432-52-0x000000001AB30000-0x000000001AC02000-memory.dmp

Filesize
840KB

Download