Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 17:50
Behavioral task
behavioral1
Sample
93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe
Resource
win10v2004-20241007-en
General
-
Target
93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe
-
Size
1.1MB
-
MD5
a4ea523b57cc90848732ee08117646d0
-
SHA1
a9706d93616af18f00027c6d9c29b6b877497c1e
-
SHA256
93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d
-
SHA512
b280ef14615e5ebd8aece055c6a1eed253a68b47c26df4e92ed16df054db86d838495056806ff87893e04717e939983aae05dcf4c90eb1c5d2176728a0716a05
-
SSDEEP
24576:AMYPCI+q+U4cIG409ozWucypk1Nd4AX+iB/YjuM6kyh+i:ABPZ0Kr1FXHB/guM6k+V
Malware Config
Signatures
-
DcRat 33 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
pid Process 2640 schtasks.exe 2312 schtasks.exe 2796 schtasks.exe 1616 schtasks.exe 1264 schtasks.exe 1444 schtasks.exe 1240 schtasks.exe 1120 schtasks.exe 2564 schtasks.exe 2016 schtasks.exe 2116 schtasks.exe 1152 schtasks.exe 2008 schtasks.exe 1084 schtasks.exe 3004 schtasks.exe 2800 schtasks.exe 2664 schtasks.exe 2324 schtasks.exe 2928 schtasks.exe 2968 schtasks.exe 2208 schtasks.exe 3032 schtasks.exe 2648 schtasks.exe 2600 schtasks.exe 2572 schtasks.exe 2776 schtasks.exe 760 schtasks.exe 2172 schtasks.exe 1876 schtasks.exe 2872 schtasks.exe 1584 schtasks.exe 1160 schtasks.exe 776 schtasks.exe -
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 11 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Recent\\sppsvc.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\skins\\fonts\\WmiPrvSE.exe\", \"C:\\Program Files\\Internet Explorer\\it-IT\\dllhost.exe\", \"C:\\Windows\\tracing\\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe\", \"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\PresentationCFFRast#\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\dllhost.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Recent\\sppsvc.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\skins\\fonts\\WmiPrvSE.exe\", \"C:\\Program Files\\Internet Explorer\\it-IT\\dllhost.exe\", \"C:\\Windows\\tracing\\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe\", \"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\PresentationCFFRast#\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Program Files\\Windows NT\\spoolsv.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Recent\\sppsvc.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\skins\\fonts\\WmiPrvSE.exe\", \"C:\\Program Files\\Internet Explorer\\it-IT\\dllhost.exe\", \"C:\\Windows\\tracing\\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe\", \"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\PresentationCFFRast#\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Program Files\\Windows NT\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Defender\\en-US\\System.exe\", \"C:\\Users\\Admin\\PrintHood\\taskhost.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Recent\\sppsvc.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\skins\\fonts\\WmiPrvSE.exe\", \"C:\\Program Files\\Internet Explorer\\it-IT\\dllhost.exe\", \"C:\\Windows\\tracing\\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe\", \"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\PresentationCFFRast#\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Program Files\\Windows NT\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Defender\\en-US\\System.exe\", \"C:\\Users\\Admin\\PrintHood\\taskhost.exe\", \"C:\\Program Files\\Microsoft Games\\Minesweeper\\de-DE\\dllhost.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Recent\\sppsvc.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Recent\\sppsvc.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\skins\\fonts\\WmiPrvSE.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Recent\\sppsvc.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\skins\\fonts\\WmiPrvSE.exe\", \"C:\\Program Files\\Internet Explorer\\it-IT\\dllhost.exe\", \"C:\\Windows\\tracing\\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Recent\\sppsvc.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\skins\\fonts\\WmiPrvSE.exe\", \"C:\\Program Files\\Internet Explorer\\it-IT\\dllhost.exe\", \"C:\\Windows\\tracing\\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe\", \"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\PresentationCFFRast#\\explorer.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Recent\\sppsvc.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\skins\\fonts\\WmiPrvSE.exe\", \"C:\\Program Files\\Internet Explorer\\it-IT\\dllhost.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Recent\\sppsvc.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\skins\\fonts\\WmiPrvSE.exe\", \"C:\\Program Files\\Internet Explorer\\it-IT\\dllhost.exe\", \"C:\\Windows\\tracing\\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe\", \"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\PresentationCFFRast#\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Program Files\\Windows NT\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Defender\\en-US\\System.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Recent\\sppsvc.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\skins\\fonts\\WmiPrvSE.exe\", \"C:\\Program Files\\Internet Explorer\\it-IT\\dllhost.exe\", \"C:\\Windows\\tracing\\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe\", \"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\PresentationCFFRast#\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Program Files\\Windows NT\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Defender\\en-US\\System.exe\", \"C:\\Users\\Admin\\PrintHood\\taskhost.exe\", \"C:\\Program Files\\Microsoft Games\\Minesweeper\\de-DE\\dllhost.exe\", \"C:\\Users\\All Users\\csrss.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe -
Process spawned unexpected child process 33 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 2216 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 2216 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 2216 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3004 2216 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1152 2216 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 2216 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 2216 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 2216 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 2216 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2216 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 2216 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 2216 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2008 2216 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1084 2216 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1584 2216 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1160 2216 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1120 2216 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 2216 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2928 2216 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2564 2216 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 776 2216 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 2216 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 760 2216 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2016 2216 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1264 2216 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1444 2216 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2208 2216 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2172 2216 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 2216 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1240 2216 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1876 2216 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2324 2216 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3032 2216 schtasks.exe 30 -
resource yara_rule behavioral1/memory/2684-1-0x0000000001350000-0x000000000147E000-memory.dmp dcrat behavioral1/files/0x0006000000016141-15.dat dcrat behavioral1/memory/1056-38-0x0000000001370000-0x000000000149E000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
pid Process 1056 taskhost.exe -
Adds Run key to start application 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows NT\\spoolsv.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d = "\"C:\\Windows\\tracing\\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\VideoLAN\\VLC\\skins\\fonts\\WmiPrvSE.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Internet Explorer\\it-IT\\dllhost.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\dllhost.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Windows Defender\\en-US\\System.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Admin\\Recent\\sppsvc.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Internet Explorer\\it-IT\\dllhost.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\dllhost.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows NT\\spoolsv.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Windows Defender\\en-US\\System.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Admin\\PrintHood\\taskhost.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Microsoft Games\\Minesweeper\\de-DE\\dllhost.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Microsoft Games\\Minesweeper\\de-DE\\dllhost.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Admin\\Recent\\sppsvc.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\All Users\\csrss.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\All Users\\csrss.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d = "\"C:\\Windows\\tracing\\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\PresentationCFFRast#\\explorer.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\PresentationCFFRast#\\explorer.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Admin\\PrintHood\\taskhost.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\VideoLAN\\VLC\\skins\\fonts\\WmiPrvSE.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files\Internet Explorer\it-IT\5940a34987c991 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe File created C:\Program Files\Microsoft Games\Minesweeper\de-DE\dllhost.exe 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe File created C:\Program Files\Windows NT\f3b6ecef712a24 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe File created C:\Program Files (x86)\Windows Defender\en-US\System.exe 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe File created C:\Program Files (x86)\Windows Defender\en-US\27d1bcfc3c54e0 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe File created C:\Program Files\Microsoft Games\Minesweeper\de-DE\5940a34987c991 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe File created C:\Program Files\VideoLAN\VLC\skins\fonts\WmiPrvSE.exe 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe File created C:\Program Files\VideoLAN\VLC\skins\fonts\24dbde2999530e 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe File created C:\Program Files\Internet Explorer\it-IT\dllhost.exe 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe File created C:\Program Files\Windows NT\spoolsv.exe 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\assembly\NativeImages_v2.0.50727_64\PresentationCFFRast#\explorer.exe 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\PresentationCFFRast#\7a0fd90576e088 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe File created C:\Windows\Speech\Common\de-DE\lsm.exe 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe File created C:\Windows\tracing\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe File created C:\Windows\tracing\b80884f09645da 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 760 schtasks.exe 3004 schtasks.exe 1616 schtasks.exe 1120 schtasks.exe 1264 schtasks.exe 1876 schtasks.exe 2572 schtasks.exe 1444 schtasks.exe 1240 schtasks.exe 2640 schtasks.exe 2776 schtasks.exe 2564 schtasks.exe 2312 schtasks.exe 2208 schtasks.exe 2872 schtasks.exe 2796 schtasks.exe 2008 schtasks.exe 1584 schtasks.exe 2016 schtasks.exe 2324 schtasks.exe 1152 schtasks.exe 776 schtasks.exe 2116 schtasks.exe 2928 schtasks.exe 2968 schtasks.exe 2800 schtasks.exe 2648 schtasks.exe 2600 schtasks.exe 2664 schtasks.exe 1084 schtasks.exe 1160 schtasks.exe 2172 schtasks.exe 3032 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2684 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe 2684 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe 2684 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe 1056 taskhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2684 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Token: SeDebugPrivilege 1056 taskhost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2684 wrote to memory of 2200 2684 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe 64 PID 2684 wrote to memory of 2200 2684 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe 64 PID 2684 wrote to memory of 2200 2684 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe 64 PID 2200 wrote to memory of 468 2200 cmd.exe 66 PID 2200 wrote to memory of 468 2200 cmd.exe 66 PID 2200 wrote to memory of 468 2200 cmd.exe 66 PID 2200 wrote to memory of 1056 2200 cmd.exe 67 PID 2200 wrote to memory of 1056 2200 cmd.exe 67 PID 2200 wrote to memory of 1056 2200 cmd.exe 67 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe"C:\Users\Admin\AppData\Local\Temp\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T9iG1lgczy.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:468
-
-
C:\Users\Admin\PrintHood\taskhost.exe"C:\Users\Admin\PrintHood\taskhost.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1056
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Recent\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Recent\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Recent\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\it-IT\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\it-IT\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\it-IT\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d9" /sc MINUTE /mo 8 /tr "'C:\Windows\tracing\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d" /sc ONLOGON /tr "'C:\Windows\tracing\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d9" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_64\PresentationCFFRast#\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_64\PresentationCFFRast#\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_64\PresentationCFFRast#\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows NT\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\en-US\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\en-US\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\en-US\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\PrintHood\taskhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\PrintHood\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\Minesweeper\de-DE\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Minesweeper\de-DE\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Games\Minesweeper\de-DE\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202B
MD53abdf8389541f5cae37eab3d8d7b5fe1
SHA100242519ab796ff67bea3d0e54baae2b50e4e833
SHA25607a8188e5406ca683b1b365903196e900a1a897a037622351488edf1a8d8773f
SHA512636b193e34bf31e1403ac05e6bd662c3bdb6ea6aa06b5759a60dd42ac631182d2176c7fe5691abe09bfc71552e125cd174d90abb5ed5f805694939ae25741991
-
Filesize
1.1MB
MD5a4ea523b57cc90848732ee08117646d0
SHA1a9706d93616af18f00027c6d9c29b6b877497c1e
SHA25693e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d
SHA512b280ef14615e5ebd8aece055c6a1eed253a68b47c26df4e92ed16df054db86d838495056806ff87893e04717e939983aae05dcf4c90eb1c5d2176728a0716a05