dcrat | 0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 22:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Size

2.7MB
MD5

9ee80d36d88c45263efe383594c9e691
SHA1

48474dc934a74661330f307b199581867f6baa7c
SHA256

0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd
SHA512

ae1fab9d36bcef8c8e65c2e93e42ff83f8fc7641d1a1662b8ecd959fd2a28cd1c57cb751ce83c8d7f815cc10e8d226065b224303ef19b53508ba0a3601337f81
SSDEEP

24576:S+O4GERsRRVgXtXzrTiJe48ySFtPNe5fO:lirO9P348yqb

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 36 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2148	schtasks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\NetworkBindingEngineMigPlugin\\lsass.exe\""		0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\PerfLogs\\spoolsv.exe\""		0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
		4840	schtasks.exe
		3992	schtasks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\TextInputHost\\TextInputHost.exe\""		0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\PerfLogs\\upfc.exe\""		0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
		2908	schtasks.exe
		2496	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Windows\\Logs\\WindowsUpdate\\0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe\", \"C:\\PerfLogs\\spoolsv.exe\", \"C:\\Windows\\System32\\NetworkBindingEngineMigPlugin\\lsass.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\TextInputHost\\TextInputHost.exe\""		0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Windows\\Logs\\WindowsUpdate\\0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe\""		0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
		3080	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Windows\\Logs\\WindowsUpdate\\0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe\", \"C:\\PerfLogs\\spoolsv.exe\", \"C:\\Windows\\System32\\NetworkBindingEngineMigPlugin\\lsass.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\TextInputHost\\TextInputHost.exe\", \"C:\\Windows\\System32\\wbem\\WPDShServiceObj\\unsecapp.exe\", \"C:\\PerfLogs\\upfc.exe\""		0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
		4384	schtasks.exe
		2252	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Default User\\explorer.exe\""		0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\splwow64\\explorer.exe\""		0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Default User\\explorer.exe\""		0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\splwow64\\explorer.exe\""		0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
		4796	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\explorer.exe\""		0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Windows\\Logs\\WindowsUpdate\\0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe\", \"C:\\PerfLogs\\spoolsv.exe\", \"C:\\Windows\\System32\\NetworkBindingEngineMigPlugin\\lsass.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\TextInputHost\\TextInputHost.exe\", \"C:\\Windows\\System32\\wbem\\WPDShServiceObj\\unsecapp.exe\""		0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Windows\\Logs\\WindowsUpdate\\0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe\", \"C:\\PerfLogs\\spoolsv.exe\", \"C:\\Windows\\System32\\NetworkBindingEngineMigPlugin\\lsass.exe\""		0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\NetworkBindingEngineMigPlugin\\lsass.exe\""		0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
		4760	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\TextInputHost\\TextInputHost.exe\""		0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\PerfLogs\\spoolsv.exe\""		0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\System32\\wbem\\WPDShServiceObj\\unsecapp.exe\""		0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
		4008	schtasks.exe
		1728	schtasks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\PerfLogs\\upfc.exe\""		0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
		3120	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Windows\\Logs\\WindowsUpdate\\0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe\", \"C:\\PerfLogs\\spoolsv.exe\""		0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Windows\\Logs\\WindowsUpdate\\0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe\", \"C:\\PerfLogs\\spoolsv.exe\", \"C:\\Windows\\System32\\NetworkBindingEngineMigPlugin\\lsass.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\TextInputHost\\TextInputHost.exe\", \"C:\\Windows\\System32\\wbem\\WPDShServiceObj\\unsecapp.exe\", \"C:\\PerfLogs\\upfc.exe\", \"C:\\Windows\\splwow64\\explorer.exe\""		0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
		3428	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\System32\\wbem\\WPDShServiceObj\\unsecapp.exe\""		0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 14 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Windows\\Logs\\WindowsUpdate\\0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe\", \"C:\\PerfLogs\\spoolsv.exe\", \"C:\\Windows\\System32\\NetworkBindingEngineMigPlugin\\lsass.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\TextInputHost\\TextInputHost.exe\", \"C:\\Windows\\System32\\wbem\\WPDShServiceObj\\unsecapp.exe\", \"C:\\PerfLogs\\upfc.exe\", \"C:\\Windows\\splwow64\\explorer.exe\""	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Windows\\Logs\\WindowsUpdate\\0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe\", \"C:\\PerfLogs\\spoolsv.exe\""	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Windows\\Logs\\WindowsUpdate\\0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe\", \"C:\\PerfLogs\\spoolsv.exe\", \"C:\\Windows\\System32\\NetworkBindingEngineMigPlugin\\lsass.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\TextInputHost\\TextInputHost.exe\", \"C:\\Windows\\System32\\wbem\\WPDShServiceObj\\unsecapp.exe\", \"C:\\PerfLogs\\upfc.exe\", \"C:\\Windows\\splwow64\\explorer.exe\", \"C:\\PerfLogs\\dwm.exe\""	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Windows\\Logs\\WindowsUpdate\\0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe\", \"C:\\PerfLogs\\spoolsv.exe\", \"C:\\Windows\\System32\\NetworkBindingEngineMigPlugin\\lsass.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\TextInputHost\\TextInputHost.exe\", \"C:\\Windows\\System32\\wbem\\WPDShServiceObj\\unsecapp.exe\", \"C:\\PerfLogs\\upfc.exe\", \"C:\\Windows\\splwow64\\explorer.exe\", \"C:\\PerfLogs\\dwm.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\OZMCVSQS-20241007-0916\\0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Test\\Modules\\Example2.Diagnostics\\1.0.1\\explorer.exe\""	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Windows\\Logs\\WindowsUpdate\\0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe\", \"C:\\PerfLogs\\spoolsv.exe\", \"C:\\Windows\\System32\\NetworkBindingEngineMigPlugin\\lsass.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\TextInputHost\\TextInputHost.exe\", \"C:\\Windows\\System32\\wbem\\WPDShServiceObj\\unsecapp.exe\", \"C:\\PerfLogs\\upfc.exe\", \"C:\\Windows\\splwow64\\explorer.exe\", \"C:\\PerfLogs\\dwm.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\OZMCVSQS-20241007-0916\\0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Test\\Modules\\Example2.Diagnostics\\1.0.1\\explorer.exe\", \"C:\\Windows\\PrintDialog\\microsoft.system.package.metadata\\Autogen\\winlogon.exe\""	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Windows\\Logs\\WindowsUpdate\\0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe\", \"C:\\PerfLogs\\spoolsv.exe\", \"C:\\Windows\\System32\\NetworkBindingEngineMigPlugin\\lsass.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\TextInputHost\\TextInputHost.exe\", \"C:\\Windows\\System32\\wbem\\WPDShServiceObj\\unsecapp.exe\", \"C:\\PerfLogs\\upfc.exe\", \"C:\\Windows\\splwow64\\explorer.exe\", \"C:\\PerfLogs\\dwm.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\OZMCVSQS-20241007-0916\\0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Test\\Modules\\Example2.Diagnostics\\1.0.1\\explorer.exe\", \"C:\\Windows\\PrintDialog\\microsoft.system.package.metadata\\Autogen\\winlogon.exe\", \"C:\\Windows\\System32\\wbem\\mstsc\\WmiPrvSE.exe\""	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Windows\\Logs\\WindowsUpdate\\0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe\", \"C:\\PerfLogs\\spoolsv.exe\", \"C:\\Windows\\System32\\NetworkBindingEngineMigPlugin\\lsass.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\TextInputHost\\TextInputHost.exe\", \"C:\\Windows\\System32\\wbem\\WPDShServiceObj\\unsecapp.exe\", \"C:\\PerfLogs\\upfc.exe\", \"C:\\Windows\\splwow64\\explorer.exe\", \"C:\\PerfLogs\\dwm.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\OZMCVSQS-20241007-0916\\0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Test\\Modules\\Example2.Diagnostics\\1.0.1\\explorer.exe\", \"C:\\Windows\\PrintDialog\\microsoft.system.package.metadata\\Autogen\\winlogon.exe\", \"C:\\Windows\\System32\\wbem\\mstsc\\WmiPrvSE.exe\", \"C:\\Windows\\notepad\\sysmon.exe\""	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\explorer.exe\""	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Windows\\Logs\\WindowsUpdate\\0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe\""	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Windows\\Logs\\WindowsUpdate\\0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe\", \"C:\\PerfLogs\\spoolsv.exe\", \"C:\\Windows\\System32\\NetworkBindingEngineMigPlugin\\lsass.exe\""	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Windows\\Logs\\WindowsUpdate\\0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe\", \"C:\\PerfLogs\\spoolsv.exe\", \"C:\\Windows\\System32\\NetworkBindingEngineMigPlugin\\lsass.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\TextInputHost\\TextInputHost.exe\", \"C:\\Windows\\System32\\wbem\\WPDShServiceObj\\unsecapp.exe\""	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Windows\\Logs\\WindowsUpdate\\0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe\", \"C:\\PerfLogs\\spoolsv.exe\", \"C:\\Windows\\System32\\NetworkBindingEngineMigPlugin\\lsass.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\TextInputHost\\TextInputHost.exe\""	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Windows\\Logs\\WindowsUpdate\\0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe\", \"C:\\PerfLogs\\spoolsv.exe\", \"C:\\Windows\\System32\\NetworkBindingEngineMigPlugin\\lsass.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\TextInputHost\\TextInputHost.exe\", \"C:\\Windows\\System32\\wbem\\WPDShServiceObj\\unsecapp.exe\", \"C:\\PerfLogs\\upfc.exe\""	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Windows\\Logs\\WindowsUpdate\\0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe\", \"C:\\PerfLogs\\spoolsv.exe\", \"C:\\Windows\\System32\\NetworkBindingEngineMigPlugin\\lsass.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\TextInputHost\\TextInputHost.exe\", \"C:\\Windows\\System32\\wbem\\WPDShServiceObj\\unsecapp.exe\", \"C:\\PerfLogs\\upfc.exe\", \"C:\\Windows\\splwow64\\explorer.exe\", \"C:\\PerfLogs\\dwm.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\OZMCVSQS-20241007-0916\\0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe\""	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe

Process spawned unexpected child process 14 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3120	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4008	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3080	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3428	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3992	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	5016	schtasks.exe	82

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe

Executes dropped EXE 1 IoCs

pid	Process
4924	WmiPrvSE.exe

Adds Run key to start application 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd = "\"C:\\Windows\\Logs\\WindowsUpdate\\0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe\""	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\OZMCVSQS-20241007-0916\\0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe\""	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\notepad\\sysmon.exe\""	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Default User\\explorer.exe\""	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\PerfLogs\\dwm.exe\""	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\OZMCVSQS-20241007-0916\\0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe\""	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Test\\Modules\\Example2.Diagnostics\\1.0.1\\explorer.exe\""	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\notepad\\sysmon.exe\""	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Default User\\explorer.exe\""	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\TextInputHost\\TextInputHost.exe\""	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\splwow64\\explorer.exe\""	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\System32\\wbem\\WPDShServiceObj\\unsecapp.exe\""	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\System32\\wbem\\WPDShServiceObj\\unsecapp.exe\""	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\PerfLogs\\upfc.exe\""	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Test\\Modules\\Example2.Diagnostics\\1.0.1\\explorer.exe\""	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\PrintDialog\\microsoft.system.package.metadata\\Autogen\\winlogon.exe\""	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\PerfLogs\\spoolsv.exe\""	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\NetworkBindingEngineMigPlugin\\lsass.exe\""	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\PerfLogs\\dwm.exe\""	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\mstsc\\WmiPrvSE.exe\""	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\PerfLogs\\upfc.exe\""	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\splwow64\\explorer.exe\""	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\PrintDialog\\microsoft.system.package.metadata\\Autogen\\winlogon.exe\""	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\mstsc\\WmiPrvSE.exe\""	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd = "\"C:\\Windows\\Logs\\WindowsUpdate\\0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe\""	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\PerfLogs\\spoolsv.exe\""	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\NetworkBindingEngineMigPlugin\\lsass.exe\""	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\TextInputHost\\TextInputHost.exe\""	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\System32\wbem\mstsc\24dbde2999530ef5fd907494bc374d663924116c	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
File created	C:\Windows\System32\NetworkBindingEngineMigPlugin\lsass.exe	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
File created	C:\Windows\System32\NetworkBindingEngineMigPlugin\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
File created	C:\Windows\System32\wbem\WPDShServiceObj\unsecapp.exe	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
File created	C:\Windows\System32\wbem\WPDShServiceObj\29c1c3cc0f76855c7e7456076a4ffc27e4947119	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
File created	C:\Windows\System32\wbem\mstsc\WmiPrvSE.exe	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\explorer.exe	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\7a0fd90576e08807bde2cc57bcf9854bbce05fe3	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Logs\WindowsUpdate\0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
File created	C:\Windows\Logs\WindowsUpdate\9e1bfffaf4adeccb7416fd3ec377f85591ccdc5b	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost\TextInputHost.exe	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
File created	C:\Windows\notepad\sysmon.exe	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost\22eafd247d37c30fed3795ee41d259ec72bb351c	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
File created	C:\Windows\splwow64\explorer.exe	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
File created	C:\Windows\splwow64\7a0fd90576e08807bde2cc57bcf9854bbce05fe3	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
File created	C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\winlogon.exe	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
File created	C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\cc11b995f2a76da408ea6a601e682e64743153ad	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
File created	C:\Windows\notepad\121e5b5079f7c0e46d90f99b3864022518bbbda9	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2252	schtasks.exe
4008	schtasks.exe
3120	schtasks.exe
3080	schtasks.exe
4384	schtasks.exe
2148	schtasks.exe
2496	schtasks.exe
2908	schtasks.exe
4760	schtasks.exe
1728	schtasks.exe
3428	schtasks.exe
4796	schtasks.exe
3992	schtasks.exe
4840	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4900	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
4900	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
4900	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
648	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
648	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
648	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
4924	WmiPrvSE.exe
4924	WmiPrvSE.exe
4924	WmiPrvSE.exe
4924	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4900	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Token: SeDebugPrivilege	648	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
Token: SeDebugPrivilege	4924	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 64	4900	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe	91
PID 4900 wrote to memory of 64	4900	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe	91
PID 64 wrote to memory of 2016	64	cmd.exe	93
PID 64 wrote to memory of 2016	64	cmd.exe	93
PID 64 wrote to memory of 648	64	cmd.exe	97
PID 64 wrote to memory of 648	64	cmd.exe	97
PID 648 wrote to memory of 704	648	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe	104
PID 648 wrote to memory of 704	648	0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe	104
PID 704 wrote to memory of 1148	704	cmd.exe	106
PID 704 wrote to memory of 1148	704	cmd.exe	106
PID 704 wrote to memory of 4924	704	cmd.exe	110
PID 704 wrote to memory of 4924	704	cmd.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
"C:\Users\Admin\AppData\Local\Temp\0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ylzBfwqiiK.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:64
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2016
- - C:\Users\Admin\AppData\Local\Temp\0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe
    "C:\Users\Admin\AppData\Local\Temp\0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Checks computer location settings
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:648
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r18DqsvVrj.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:704
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:1148
    - - C:\Windows\System32\wbem\mstsc\WmiPrvSE.exe
        
        "C:\Windows\System32\wbem\mstsc\WmiPrvSE.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd" /sc ONLOGON /tr "'C:\Windows\Logs\WindowsUpdate\0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\PerfLogs\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\NetworkBindingEngineMigPlugin\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\System32\wbem\WPDShServiceObj\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\PerfLogs\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\splwow64\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\PerfLogs\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\OZMCVSQS-20241007-0916\0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\mstsc\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\notepad\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe.log

Filesize
1KB

MD5
b7c0c43fc7804baaa7dc87152cdc9554

SHA1
1bab62bd56af745678d4e967d91e1ccfdeed4038

SHA256
46386a61f3aaf1b1c2e6efc9fc7e9e9ff16cd13ae58b8d856835771fedb6d457

SHA512
9fda3dd00a3406137e0113f13f78e77b20a76512b35820d38df696842cbbf2e2ebabfb99a3846c9637ecb54af858ec1551521187e379872973006426a253f769

Download Submit
C:\Users\Admin\AppData\Local\Temp\r18DqsvVrj.bat

Filesize
207B

MD5
18bb4fda72f691002bcfcb7110f89d65

SHA1
66fa205eecd741db0f9f01eeb79e0f43a541026c

SHA256
ea27d697d6f46c0a6881872e86db02a5e1a2ae4818788cb2ed507a21bd75677c

SHA512
64c6984e1c5f31ba124854a766ad84ea5bfc5f5080853b65bf62b7c5f268880ece1bf5fa8c86dc7d7a836f753e10555b6535d47d03990672d8dcf4bd1287e4e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ylzBfwqiiK.bat

Filesize
266B

MD5
363a9c04327fdd946c11770a7108e430

SHA1
ee7dc1805234dd4fcfef0f70cc3455128e376340

SHA256
ecbe4565c4885a9a36222988156632ab6747e08c7e924707b6e0f44780ee3e89

SHA512
ee2151f545141b07bef843210d5327b79108f5a56d5e7d0e3494a510594b49e7b3f9cb97b69514b08fb368d41c35e8c61708044977cef8bc19d850605db89aab

Download Submit
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost\TextInputHost.exe

Filesize
2.7MB

MD5
9ee80d36d88c45263efe383594c9e691

SHA1
48474dc934a74661330f307b199581867f6baa7c

SHA256
0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd

SHA512
ae1fab9d36bcef8c8e65c2e93e42ff83f8fc7641d1a1662b8ecd959fd2a28cd1c57cb751ce83c8d7f815cc10e8d226065b224303ef19b53508ba0a3601337f81

Download Submit
memory/4900-24-0x00007FF816960000-0x00007FF817421000-memory.dmp

Filesize
10.8MB

Download
memory/4900-0-0x00007FF816963000-0x00007FF816965000-memory.dmp

Filesize
8KB

Download
memory/4900-4-0x00007FF816960000-0x00007FF817421000-memory.dmp

Filesize
10.8MB

Download
memory/4900-1-0x0000000000090000-0x000000000033E000-memory.dmp

Filesize
2.7MB

Download
memory/4924-47-0x0000000003350000-0x000000000335C000-memory.dmp

Filesize
48KB

Download
memory/4924-48-0x0000000003360000-0x000000000336C000-memory.dmp

Filesize
48KB

Download
memory/4924-49-0x000000001BE30000-0x000000001BE3C000-memory.dmp

Filesize
48KB

Download
memory/4924-50-0x0000000003370000-0x0000000003378000-memory.dmp

Filesize
32KB

Download
memory/4924-51-0x00000000034A0000-0x00000000034AA000-memory.dmp

Filesize
40KB

Download