dcrat | 007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 23:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59b9f54f927431d2cf31d3aa202a0843.exe
Size

2.2MB
MD5

59b9f54f927431d2cf31d3aa202a0843
SHA1

b23d214605133dc8e930f9a9d473c7c7622b4b56
SHA256

007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594
SHA512

89106822646d8d412d5c956fd01ad37e4b1f34599497f8e362262f82d2d47f4460632019d6ec09da58c45d690ebd03f2812d5809743203be081702680bfb28f8
SSDEEP

24576:9zyhnYISyKSBWpKCeCirC9CMz+052LEgPHQ944INbKK6uK5Ye6KBOO3op+kE9hk4:9zyt2DixLb4I5KKnK5zgdlKWky

Score

10^/10

dcrat discovery evasion infostealer persistence rat spyware stealer trojan

Malware Config

Signatures

DcRat 38 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2628	schtasks.exe
		2336	schtasks.exe
		2696	schtasks.exe
		588	schtasks.exe
		112	schtasks.exe
		2268	schtasks.exe
File created	C:\Windows\PLA\Templates\24dbde2999530e		59b9f54f927431d2cf31d3aa202a0843.exe
		2644	schtasks.exe
		3008	schtasks.exe
		2972	schtasks.exe
		536	schtasks.exe
		1776	schtasks.exe
		2572	schtasks.exe
		2020	schtasks.exe
		2528	schtasks.exe
		1872	schtasks.exe
		1680	schtasks.exe
		2768	schtasks.exe
		2100	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		59b9f54f927431d2cf31d3aa202a0843.exe
		2308	schtasks.exe
		2068	schtasks.exe
		1984	schtasks.exe
		1624	schtasks.exe
		2396	schtasks.exe
		1748	schtasks.exe
		2664	schtasks.exe
		2580	schtasks.exe
		2064	schtasks.exe
		2912	schtasks.exe
		2520	schtasks.exe
		1496	schtasks.exe
		2728	schtasks.exe
		832	schtasks.exe
		1000	schtasks.exe
		1788	schtasks.exe
		2108	schtasks.exe
		2392	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PLA\\Templates\\WmiPrvSE.exe\", \"C:\\Users\\Default\\Recent\\WmiPrvSE.exe\", \"C:\\Users\\Default User\\dwm.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\Idle.exe\", \"C:\\Users\\Public\\Downloads\\winlogon.exe\""	59b9f54f927431d2cf31d3aa202a0843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PLA\\Templates\\WmiPrvSE.exe\", \"C:\\Users\\Default\\Recent\\WmiPrvSE.exe\", \"C:\\Users\\Default User\\dwm.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\Idle.exe\", \"C:\\Users\\Public\\Downloads\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\Idle.exe\""	59b9f54f927431d2cf31d3aa202a0843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PLA\\Templates\\WmiPrvSE.exe\", \"C:\\Users\\Default\\Recent\\WmiPrvSE.exe\", \"C:\\Users\\Default User\\dwm.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\Idle.exe\", \"C:\\Users\\Public\\Downloads\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\Idle.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\csrss.exe\""	59b9f54f927431d2cf31d3aa202a0843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PLA\\Templates\\WmiPrvSE.exe\", \"C:\\Users\\Default\\Recent\\WmiPrvSE.exe\", \"C:\\Users\\Default User\\dwm.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\Idle.exe\", \"C:\\Users\\Public\\Downloads\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\Idle.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\services.exe\", \"C:\\Users\\Admin\\Pictures\\taskhost.exe\""	59b9f54f927431d2cf31d3aa202a0843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PLA\\Templates\\WmiPrvSE.exe\", \"C:\\Users\\Default\\Recent\\WmiPrvSE.exe\", \"C:\\Users\\Default User\\dwm.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\Idle.exe\", \"C:\\Users\\Public\\Downloads\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\Idle.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\services.exe\", \"C:\\Users\\Admin\\Pictures\\taskhost.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\csrss.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\taskhost.exe\""	59b9f54f927431d2cf31d3aa202a0843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PLA\\Templates\\WmiPrvSE.exe\", \"C:\\Users\\Default\\Recent\\WmiPrvSE.exe\", \"C:\\Users\\Default User\\dwm.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\Idle.exe\""	59b9f54f927431d2cf31d3aa202a0843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PLA\\Templates\\WmiPrvSE.exe\", \"C:\\Users\\Default\\Recent\\WmiPrvSE.exe\""	59b9f54f927431d2cf31d3aa202a0843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PLA\\Templates\\WmiPrvSE.exe\", \"C:\\Users\\Default\\Recent\\WmiPrvSE.exe\", \"C:\\Users\\Default User\\dwm.exe\""	59b9f54f927431d2cf31d3aa202a0843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PLA\\Templates\\WmiPrvSE.exe\", \"C:\\Users\\Default\\Recent\\WmiPrvSE.exe\", \"C:\\Users\\Default User\\dwm.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\Idle.exe\", \"C:\\Users\\Public\\Downloads\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\Idle.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\services.exe\""	59b9f54f927431d2cf31d3aa202a0843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PLA\\Templates\\WmiPrvSE.exe\", \"C:\\Users\\Default\\Recent\\WmiPrvSE.exe\", \"C:\\Users\\Default User\\dwm.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\Idle.exe\", \"C:\\Users\\Public\\Downloads\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\Idle.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\services.exe\", \"C:\\Users\\Admin\\Pictures\\taskhost.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\csrss.exe\""	59b9f54f927431d2cf31d3aa202a0843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PLA\\Templates\\WmiPrvSE.exe\", \"C:\\Users\\Default\\Recent\\WmiPrvSE.exe\", \"C:\\Users\\Default User\\dwm.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\Idle.exe\", \"C:\\Users\\Public\\Downloads\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\Idle.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\services.exe\", \"C:\\Users\\Admin\\Pictures\\taskhost.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\csrss.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\taskhost.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\59b9f54f927431d2cf31d3aa202a0843.exe\""	59b9f54f927431d2cf31d3aa202a0843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PLA\\Templates\\WmiPrvSE.exe\""	59b9f54f927431d2cf31d3aa202a0843.exe

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2984	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2984	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2984	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2984	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2984	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2984	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2984	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2984	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2984	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2984	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2984	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2984	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2984	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2984	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2984	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2984	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2984	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2984	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2984	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2984	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2984	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2984	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2984	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2984	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	2984	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2984	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	2984	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2984	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2984	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2984	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2984	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2984	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2984	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2984	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2984	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2984	schtasks.exe	28

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	59b9f54f927431d2cf31d3aa202a0843.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	59b9f54f927431d2cf31d3aa202a0843.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	59b9f54f927431d2cf31d3aa202a0843.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/848-1-0x0000000000210000-0x000000000043E000-memory.dmp	dcrat
behavioral1/files/0x0005000000019604-38.dat	dcrat
behavioral1/files/0x0007000000019606-82.dat	dcrat
behavioral1/files/0x000700000001960c-90.dat	dcrat
behavioral1/memory/1632-211-0x0000000001010000-0x000000000123E000-memory.dmp	dcrat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	59b9f54f927431d2cf31d3aa202a0843.exe

Executes dropped EXE 1 IoCs

pid	Process
1632	csrss.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Microsoft Synchronization Services\\Idle.exe\""	59b9f54f927431d2cf31d3aa202a0843.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\59b9f54f927431d2cf31d3aa202a0843 = "\"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\59b9f54f927431d2cf31d3aa202a0843.exe\""	59b9f54f927431d2cf31d3aa202a0843.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\PLA\\Templates\\WmiPrvSE.exe\""	59b9f54f927431d2cf31d3aa202a0843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\Idle.exe\""	59b9f54f927431d2cf31d3aa202a0843.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Microsoft Synchronization Services\\Idle.exe\""	59b9f54f927431d2cf31d3aa202a0843.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\services.exe\""	59b9f54f927431d2cf31d3aa202a0843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Uninstall Information\\csrss.exe\""	59b9f54f927431d2cf31d3aa202a0843.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Admin\\Pictures\\taskhost.exe\""	59b9f54f927431d2cf31d3aa202a0843.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\taskhost.exe\""	59b9f54f927431d2cf31d3aa202a0843.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Default User\\dwm.exe\""	59b9f54f927431d2cf31d3aa202a0843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Default User\\dwm.exe\""	59b9f54f927431d2cf31d3aa202a0843.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Public\\Downloads\\winlogon.exe\""	59b9f54f927431d2cf31d3aa202a0843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Public\\Downloads\\winlogon.exe\""	59b9f54f927431d2cf31d3aa202a0843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\csrss.exe\""	59b9f54f927431d2cf31d3aa202a0843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\services.exe\""	59b9f54f927431d2cf31d3aa202a0843.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Uninstall Information\\csrss.exe\""	59b9f54f927431d2cf31d3aa202a0843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\taskhost.exe\""	59b9f54f927431d2cf31d3aa202a0843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\PLA\\Templates\\WmiPrvSE.exe\""	59b9f54f927431d2cf31d3aa202a0843.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Users\\Default\\Recent\\WmiPrvSE.exe\""	59b9f54f927431d2cf31d3aa202a0843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Users\\Default\\Recent\\WmiPrvSE.exe\""	59b9f54f927431d2cf31d3aa202a0843.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\Idle.exe\""	59b9f54f927431d2cf31d3aa202a0843.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\csrss.exe\""	59b9f54f927431d2cf31d3aa202a0843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Admin\\Pictures\\taskhost.exe\""	59b9f54f927431d2cf31d3aa202a0843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\59b9f54f927431d2cf31d3aa202a0843 = "\"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\59b9f54f927431d2cf31d3aa202a0843.exe\""	59b9f54f927431d2cf31d3aa202a0843.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	59b9f54f927431d2cf31d3aa202a0843.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	59b9f54f927431d2cf31d3aa202a0843.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ipinfo.io
8	ipinfo.io

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\886983d96e3d3e	59b9f54f927431d2cf31d3aa202a0843.exe
File created	C:\Program Files (x86)\Uninstall Information\886983d96e3d3e	59b9f54f927431d2cf31d3aa202a0843.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\csrss.exe	59b9f54f927431d2cf31d3aa202a0843.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCXFF07.tmp	59b9f54f927431d2cf31d3aa202a0843.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe	59b9f54f927431d2cf31d3aa202a0843.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\Idle.exe	59b9f54f927431d2cf31d3aa202a0843.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\6ccacd8608530f	59b9f54f927431d2cf31d3aa202a0843.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\Idle.exe	59b9f54f927431d2cf31d3aa202a0843.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCXFF06.tmp	59b9f54f927431d2cf31d3aa202a0843.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe	59b9f54f927431d2cf31d3aa202a0843.exe
File created	C:\Program Files (x86)\Uninstall Information\csrss.exe	59b9f54f927431d2cf31d3aa202a0843.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCX514.tmp	59b9f54f927431d2cf31d3aa202a0843.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\RCXFD01.tmp	59b9f54f927431d2cf31d3aa202a0843.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\RCXFD02.tmp	59b9f54f927431d2cf31d3aa202a0843.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCX515.tmp	59b9f54f927431d2cf31d3aa202a0843.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\PLA\Templates\WmiPrvSE.exe	59b9f54f927431d2cf31d3aa202a0843.exe
File opened for modification	C:\Windows\PLA\Templates\WmiPrvSE.exe	59b9f54f927431d2cf31d3aa202a0843.exe
File created	C:\Windows\PLA\Templates\24dbde2999530e	59b9f54f927431d2cf31d3aa202a0843.exe
File opened for modification	C:\Windows\PLA\Templates\RCXF24D.tmp	59b9f54f927431d2cf31d3aa202a0843.exe
File opened for modification	C:\Windows\PLA\Templates\RCXF24E.tmp	59b9f54f927431d2cf31d3aa202a0843.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	csrss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2972	schtasks.exe
1624	schtasks.exe
2572	schtasks.exe
112	schtasks.exe
1000	schtasks.exe
1788	schtasks.exe
2108	schtasks.exe
2520	schtasks.exe
2392	schtasks.exe
832	schtasks.exe
1776	schtasks.exe
1748	schtasks.exe
2644	schtasks.exe
2696	schtasks.exe
588	schtasks.exe
2396	schtasks.exe
2768	schtasks.exe
1496	schtasks.exe
2268	schtasks.exe
2912	schtasks.exe
2336	schtasks.exe
2100	schtasks.exe
2064	schtasks.exe
1984	schtasks.exe
1680	schtasks.exe
3008	schtasks.exe
2728	schtasks.exe
2664	schtasks.exe
1872	schtasks.exe
2308	schtasks.exe
2528	schtasks.exe
2628	schtasks.exe
2068	schtasks.exe
536	schtasks.exe
2020	schtasks.exe
2580	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
848	59b9f54f927431d2cf31d3aa202a0843.exe
848	59b9f54f927431d2cf31d3aa202a0843.exe
848	59b9f54f927431d2cf31d3aa202a0843.exe
848	59b9f54f927431d2cf31d3aa202a0843.exe
848	59b9f54f927431d2cf31d3aa202a0843.exe
848	59b9f54f927431d2cf31d3aa202a0843.exe
848	59b9f54f927431d2cf31d3aa202a0843.exe
848	59b9f54f927431d2cf31d3aa202a0843.exe
848	59b9f54f927431d2cf31d3aa202a0843.exe
848	59b9f54f927431d2cf31d3aa202a0843.exe
848	59b9f54f927431d2cf31d3aa202a0843.exe
848	59b9f54f927431d2cf31d3aa202a0843.exe
848	59b9f54f927431d2cf31d3aa202a0843.exe
848	59b9f54f927431d2cf31d3aa202a0843.exe
848	59b9f54f927431d2cf31d3aa202a0843.exe
848	59b9f54f927431d2cf31d3aa202a0843.exe
848	59b9f54f927431d2cf31d3aa202a0843.exe
848	59b9f54f927431d2cf31d3aa202a0843.exe
848	59b9f54f927431d2cf31d3aa202a0843.exe
848	59b9f54f927431d2cf31d3aa202a0843.exe
848	59b9f54f927431d2cf31d3aa202a0843.exe
848	59b9f54f927431d2cf31d3aa202a0843.exe
848	59b9f54f927431d2cf31d3aa202a0843.exe
848	59b9f54f927431d2cf31d3aa202a0843.exe
848	59b9f54f927431d2cf31d3aa202a0843.exe
848	59b9f54f927431d2cf31d3aa202a0843.exe
848	59b9f54f927431d2cf31d3aa202a0843.exe
848	59b9f54f927431d2cf31d3aa202a0843.exe
848	59b9f54f927431d2cf31d3aa202a0843.exe
848	59b9f54f927431d2cf31d3aa202a0843.exe
848	59b9f54f927431d2cf31d3aa202a0843.exe
848	59b9f54f927431d2cf31d3aa202a0843.exe
848	59b9f54f927431d2cf31d3aa202a0843.exe
848	59b9f54f927431d2cf31d3aa202a0843.exe
848	59b9f54f927431d2cf31d3aa202a0843.exe
1632	csrss.exe
1632	csrss.exe
1632	csrss.exe
1632	csrss.exe
1632	csrss.exe
1632	csrss.exe
1632	csrss.exe
1632	csrss.exe
1632	csrss.exe
1632	csrss.exe
1632	csrss.exe
1632	csrss.exe
1632	csrss.exe
1632	csrss.exe
1632	csrss.exe
1632	csrss.exe
1632	csrss.exe
1632	csrss.exe
1632	csrss.exe
1632	csrss.exe
1632	csrss.exe
1632	csrss.exe
1632	csrss.exe
1632	csrss.exe
1632	csrss.exe
1632	csrss.exe
1632	csrss.exe
1632	csrss.exe
1632	csrss.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1632	csrss.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	848	59b9f54f927431d2cf31d3aa202a0843.exe
Token: SeDebugPrivilege	1632	csrss.exe
Token: SeBackupPrivilege	1796	vssvc.exe
Token: SeRestorePrivilege	1796	vssvc.exe
Token: SeAuditPrivilege	1796	vssvc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1632	csrss.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 2532	848	59b9f54f927431d2cf31d3aa202a0843.exe	65
PID 848 wrote to memory of 2532	848	59b9f54f927431d2cf31d3aa202a0843.exe	65
PID 848 wrote to memory of 2532	848	59b9f54f927431d2cf31d3aa202a0843.exe	65
PID 2532 wrote to memory of 2516	2532	cmd.exe	67
PID 2532 wrote to memory of 2516	2532	cmd.exe	67
PID 2532 wrote to memory of 2516	2532	cmd.exe	67
PID 2532 wrote to memory of 1632	2532	cmd.exe	68
PID 2532 wrote to memory of 1632	2532	cmd.exe	68
PID 2532 wrote to memory of 1632	2532	cmd.exe	68
PID 1632 wrote to memory of 1772	1632	csrss.exe	69
PID 1632 wrote to memory of 1772	1632	csrss.exe	69
PID 1632 wrote to memory of 1772	1632	csrss.exe	69
PID 1632 wrote to memory of 1768	1632	csrss.exe	70
PID 1632 wrote to memory of 1768	1632	csrss.exe	70
PID 1632 wrote to memory of 1768	1632	csrss.exe	70

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	59b9f54f927431d2cf31d3aa202a0843.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	59b9f54f927431d2cf31d3aa202a0843.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	59b9f54f927431d2cf31d3aa202a0843.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\59b9f54f927431d2cf31d3aa202a0843.exe
"C:\Users\Admin\AppData\Local\Temp\59b9f54f927431d2cf31d3aa202a0843.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:848
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4YhpUhHpv9.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2516
- - C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe
    "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1632
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f7a0d1e-3946-45a7-8475-591b45c498f4.vbs"
      4⤵
      PID:1772
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b724ca06-f8fd-409f-805b-19d0d6127a60.vbs"
      4⤵
      PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\PLA\Templates\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\PLA\Templates\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\PLA\Templates\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Recent\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\Recent\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Recent\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Downloads\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Downloads\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Pictures\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Pictures\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "59b9f54f927431d2cf31d3aa202a08435" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\59b9f54f927431d2cf31d3aa202a0843.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "59b9f54f927431d2cf31d3aa202a0843" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\59b9f54f927431d2cf31d3aa202a0843.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "59b9f54f927431d2cf31d3aa202a08435" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\59b9f54f927431d2cf31d3aa202a0843.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4YhpUhHpv9.bat

Filesize
237B

MD5
38577b87335671db3308d11ab88afde2

SHA1
f15b3f01301c6f7826e7ac2d45246c8f04083c09

SHA256
ec058d07806d02c84a5b0fc608e38fea075837b776d62b79fbbd91233e36ce57

SHA512
becc5816e0a7b79a04d5e03aac06c1d32f051fc586c073fe00e99844b61b935c680db000e07888b80a0f8845b7e9454a6019acfe6aae3609d604664387bd8e41

Download Submit
C:\Users\Admin\AppData\Local\Temp\7f7a0d1e-3946-45a7-8475-591b45c498f4.vbs

Filesize
748B

MD5
37bd0bc1620e3abfb6a7e16fa8abb796

SHA1
067e01d6c81f615fb41e2ea1c962ffb797a31adb

SHA256
f132ee786995b527cf200753f840b06d20fb091685153105612cc63738b50b64

SHA512
2e13a04f1e8f71cb27635f731fe28713af181839ee1dd50c9adc706f451aa97e4a003e85b26c11075bdcfb737c00d6bc0f8baebc3a0dd63491e157e2f9618763

Download Submit
C:\Users\Admin\AppData\Local\Temp\b724ca06-f8fd-409f-805b-19d0d6127a60.vbs

Filesize
524B

MD5
207b5357a72b0e0a36bcad43f603862c

SHA1
ff10fdadcb3f0e9a14159cb994158501c59a2f90

SHA256
09e8b829971ce4988b449b50fdf0dcaeaec1962290382c9ee994d88035b6f3a6

SHA512
d32351d53ca91058eb204851e1c286171b5557715b053b25d525634fb2d3d715a5d45a23313c21132e74bdd12283e3b3d469bed7e6dfea241b51803c900465f5

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\WmiPrvSE.exe

Filesize
2.2MB

MD5
0cc1b6c4c20fec84e1b1d2b8e673e48e

SHA1
955de43d926146dd2c134fd19d449f978bca6be3

SHA256
997277a485cee97e10a5a1502db8a692eb8070b2691c8d1a7b0de970f13e0c40

SHA512
7f302f5008e9b0602401b1ff7c9bce36db3253fdc70625572a2708d83eeec8aa92df7c07349eb42583b30ec2a388db79dbfbdbfee098756cb5931053a438aaf9

Download Submit
C:\Users\Default\RCXF6E4.tmp

Filesize
2.2MB

MD5
54b48d7611fb49892fd9f36e6c9eb58c

SHA1
ca6e1ff091ea3624afd344751886e9b4e655a6f3

SHA256
f8fd70996226e10c0e26187249fc0e156c5d5141f6db19e2cf070b75d0e800c8

SHA512
52312fb241f9c9a3e1978e64127e574e35130b052081ead8eeb3bc9361825738cab14d172e3651effc7b97615cfec9ca565726decb3b721c1754c4f7a84ae754

Download Submit
C:\Users\Public\Downloads\winlogon.exe

Filesize
2.2MB

MD5
59b9f54f927431d2cf31d3aa202a0843

SHA1
b23d214605133dc8e930f9a9d473c7c7622b4b56

SHA256
007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594

SHA512
89106822646d8d412d5c956fd01ad37e4b1f34599497f8e362262f82d2d47f4460632019d6ec09da58c45d690ebd03f2812d5809743203be081702680bfb28f8

Download Submit
memory/848-19-0x0000000002420000-0x000000000242C000-memory.dmp

Filesize
48KB

Download
memory/848-22-0x000000001A9B0000-0x000000001A9BA000-memory.dmp

Filesize
40KB

Download
memory/848-8-0x0000000002140000-0x0000000002156000-memory.dmp

Filesize
88KB

Download
memory/848-9-0x0000000002160000-0x000000000216C000-memory.dmp

Filesize
48KB

Download
memory/848-10-0x00000000021F0000-0x00000000021F8000-memory.dmp

Filesize
32KB

Download
memory/848-11-0x0000000002200000-0x0000000002210000-memory.dmp

Filesize
64KB

Download
memory/848-12-0x0000000002210000-0x000000000221A000-memory.dmp

Filesize
40KB

Download
memory/848-13-0x0000000002220000-0x000000000222C000-memory.dmp

Filesize
48KB

Download
memory/848-14-0x0000000002230000-0x0000000002238000-memory.dmp

Filesize
32KB

Download
memory/848-15-0x0000000002240000-0x000000000224C000-memory.dmp

Filesize
48KB

Download
memory/848-16-0x0000000002250000-0x0000000002258000-memory.dmp

Filesize
32KB

Download
memory/848-18-0x0000000002260000-0x0000000002272000-memory.dmp

Filesize
72KB

Download
memory/848-0-0x000007FEF64A3000-0x000007FEF64A4000-memory.dmp

Filesize
4KB

Download
memory/848-20-0x0000000002430000-0x000000000243C000-memory.dmp

Filesize
48KB

Download
memory/848-21-0x0000000002440000-0x000000000244C000-memory.dmp

Filesize
48KB

Download
memory/848-7-0x00000000005E0000-0x00000000005F0000-memory.dmp

Filesize
64KB

Download
memory/848-23-0x000000001A9C0000-0x000000001A9CE000-memory.dmp

Filesize
56KB

Download
memory/848-24-0x000000001A9D0000-0x000000001A9D8000-memory.dmp

Filesize
32KB

Download
memory/848-25-0x000000001A9E0000-0x000000001A9EE000-memory.dmp

Filesize
56KB

Download
memory/848-26-0x000000001A9F0000-0x000000001A9FC000-memory.dmp

Filesize
48KB

Download
memory/848-27-0x000000001AA00000-0x000000001AA08000-memory.dmp

Filesize
32KB

Download
memory/848-28-0x000000001AA10000-0x000000001AA1C000-memory.dmp

Filesize
48KB

Download
memory/848-29-0x000007FEF64A0000-0x000007FEF6E8C000-memory.dmp

Filesize
9.9MB

Download
memory/848-6-0x0000000000470000-0x0000000000478000-memory.dmp

Filesize
32KB

Download
memory/848-5-0x00000000020A0000-0x00000000020BC000-memory.dmp

Filesize
112KB

Download
memory/848-4-0x0000000000460000-0x000000000046E000-memory.dmp

Filesize
56KB

Download
memory/848-201-0x000007FEF64A3000-0x000007FEF64A4000-memory.dmp

Filesize
4KB

Download
memory/848-207-0x000007FEF64A0000-0x000007FEF6E8C000-memory.dmp

Filesize
9.9MB

Download
memory/848-3-0x0000000000450000-0x000000000045E000-memory.dmp

Filesize
56KB

Download
memory/848-1-0x0000000000210000-0x000000000043E000-memory.dmp

Filesize
2.2MB

Download
memory/848-2-0x000007FEF64A0000-0x000007FEF6E8C000-memory.dmp

Filesize
9.9MB

Download
memory/1632-211-0x0000000001010000-0x000000000123E000-memory.dmp

Filesize
2.2MB

Download