dcrat | e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a

Analysis

max time kernel
145s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-11-2024 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
Size

1.8MB
MD5

382eaedc34bfc15b7e749fb8a0cff600
SHA1

d8729997725a187120ee95e1d6068586a13ab678
SHA256

e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a
SHA512

f2be10566728f10a1396abf3115a01d98a5b06d18b94e84ecb6fbb012f1ad3ad588be84f09ceafa55bc9fd65a7e6763c68ca67596141c750ae54a2bebfc5c16b
SSDEEP

24576:nfNh6iTrBgSq+kdkpupwocpF4jGdWWfWanontd7ksYKtAwqgKchGGqGLk6kIv/D5:f3/kGAwaCYO4ngs7wg8UkcX

Score

10^/10

dcrat discovery execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\services.exe\", \"C:\\Program Files\\Microsoft Office\\dllhost.exe\", \"C:\\Users\\All Users\\explorer.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\services.exe\", \"C:\\Windows\\Cursors\\OSPPSVC.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\services.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\services.exe\", \"C:\\Program Files\\Microsoft Office\\dllhost.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\services.exe\", \"C:\\Program Files\\Microsoft Office\\dllhost.exe\", \"C:\\Users\\All Users\\explorer.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\services.exe\", \"C:\\Program Files\\Microsoft Office\\dllhost.exe\", \"C:\\Users\\All Users\\explorer.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\services.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\services.exe\", \"C:\\Program Files\\Microsoft Office\\dllhost.exe\", \"C:\\Users\\All Users\\explorer.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\services.exe\", \"C:\\Windows\\Cursors\\OSPPSVC.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2752	schtasks.exe	30

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2368	powershell.exe
1692	powershell.exe
2120	powershell.exe
2164	powershell.exe
2256	powershell.exe
956	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1396	OSPPSVC.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\All Users\\explorer.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\services.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\services.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\services.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\services.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Microsoft Office\\dllhost.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Microsoft Office\\dllhost.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\All Users\\explorer.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Windows\\Cursors\\OSPPSVC.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Windows\\Cursors\\OSPPSVC.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCBA5B5F121A5840BA84CA41722F7E2411.TMP	csc.exe
File created	\??\c:\Windows\System32\3kmwe8.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\dllhost.exe	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
File created	C:\Program Files\Microsoft Office\5940a34987c991	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Cursors\1610b97d3ab4a7	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
File created	C:\Windows\Performance\WinSAT\DataStore\services.exe	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
File created	C:\Windows\Performance\WinSAT\DataStore\c5b4cb5e9653cc	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
File created	C:\Windows\Cursors\OSPPSVC.exe	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
File opened for modification	C:\Windows\Cursors\OSPPSVC.exe	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2144	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2144	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2844	schtasks.exe
2764	schtasks.exe
792	schtasks.exe
2192	schtasks.exe
2612	schtasks.exe
640	schtasks.exe
2276	schtasks.exe
1232	schtasks.exe
2088	schtasks.exe
692	schtasks.exe
1348	schtasks.exe
324	schtasks.exe
2916	schtasks.exe
2864	schtasks.exe
2728	schtasks.exe
2688	schtasks.exe
2604	schtasks.exe
1512	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1396	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	1396	OSPPSVC.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 632 wrote to memory of 1048	632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe	34
PID 632 wrote to memory of 1048	632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe	34
PID 632 wrote to memory of 1048	632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe	34
PID 1048 wrote to memory of 2976	1048	csc.exe	36
PID 1048 wrote to memory of 2976	1048	csc.exe	36
PID 1048 wrote to memory of 2976	1048	csc.exe	36
PID 632 wrote to memory of 2368	632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe	52
PID 632 wrote to memory of 2368	632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe	52
PID 632 wrote to memory of 2368	632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe	52
PID 632 wrote to memory of 956	632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe	53
PID 632 wrote to memory of 956	632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe	53
PID 632 wrote to memory of 956	632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe	53
PID 632 wrote to memory of 2256	632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe	54
PID 632 wrote to memory of 2256	632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe	54
PID 632 wrote to memory of 2256	632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe	54
PID 632 wrote to memory of 2164	632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe	55
PID 632 wrote to memory of 2164	632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe	55
PID 632 wrote to memory of 2164	632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe	55
PID 632 wrote to memory of 2120	632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe	57
PID 632 wrote to memory of 2120	632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe	57
PID 632 wrote to memory of 2120	632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe	57
PID 632 wrote to memory of 1692	632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe	59
PID 632 wrote to memory of 1692	632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe	59
PID 632 wrote to memory of 1692	632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe	59
PID 632 wrote to memory of 1564	632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe	64
PID 632 wrote to memory of 1564	632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe	64
PID 632 wrote to memory of 1564	632	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe	64
PID 1564 wrote to memory of 2040	1564	cmd.exe	66
PID 1564 wrote to memory of 2040	1564	cmd.exe	66
PID 1564 wrote to memory of 2040	1564	cmd.exe	66
PID 1564 wrote to memory of 2144	1564	cmd.exe	67
PID 1564 wrote to memory of 2144	1564	cmd.exe	67
PID 1564 wrote to memory of 2144	1564	cmd.exe	67
PID 1564 wrote to memory of 1396	1564	cmd.exe	68
PID 1564 wrote to memory of 1396	1564	cmd.exe	68
PID 1564 wrote to memory of 1396	1564	cmd.exe	68

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
"C:\Users\Admin\AppData\Local\Temp\e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:632
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vlqm0k5k\vlqm0k5k.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA4F6.tmp" "c:\Windows\System32\CSCBA5B5F121A5840BA84CA41722F7E2411.TMP"
    3⤵
    PID:2976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\DataStore\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JXFaASItXZ.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2040
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2144
- - C:\Windows\Cursors\OSPPSVC.exe
    "C:\Windows\Cursors\OSPPSVC.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\WinSAT\DataStore\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\Performance\WinSAT\DataStore\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Windows\Cursors\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Cursors\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Windows\Cursors\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847ae" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847ae" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\services.exe

Filesize
1.8MB

MD5
382eaedc34bfc15b7e749fb8a0cff600

SHA1
d8729997725a187120ee95e1d6068586a13ab678

SHA256
e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a

SHA512
f2be10566728f10a1396abf3115a01d98a5b06d18b94e84ecb6fbb012f1ad3ad588be84f09ceafa55bc9fd65a7e6763c68ca67596141c750ae54a2bebfc5c16b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JXFaASItXZ.bat

Filesize
158B

MD5
6bd61c4e50902a5b124c80066fe73722

SHA1
bd3aa59352aeaf6bc78e858926620f15e23c63d8

SHA256
4ba6a14090b7cbe91cc5a1e3da19019d4c33a22d86119ba3f0cd04a6dcea2cb0

SHA512
2c5b40c3f5ebc6ec5cd8fd8f9592b76d13ab01de3cf7fb1d345439d9d261110f4b5f8dd06ad60acec9eb6c2d28e76a22ce8e5d92f8a992fb712b1f75304b4cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA4F6.tmp

Filesize
1KB

MD5
bcfa5c51dc609741a0ff3f2e0e7c9035

SHA1
07dba77bce100e4f89867ffe9dc7049278d41baa

SHA256
0fa5ff03b09505b345fa704a3d204be6957b9ef2370f9be292e482c082fa6ff0

SHA512
fb087faf24813dfbcc052786bb542a3e1d88dddaab2a61edd73a9f5b9eebe23a12051c7c866db09c189bb7ea66524dbd7eb172ea2c93f5ab0e671f0bfd3e2b09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9a9197d5ab5347093a00640b3ee8bbbf

SHA1
1fd3e34793cca8660dcbab22b395d3ee42b176da

SHA256
321f40e8696b1d3981b62bec2a904e496c0d810e6a8469f47bf7368aacbb1521

SHA512
2f404088ba514f809cd55772950c3dd0723733e839f1584069c3b7bd51cceb268f4c0d25c0d2a873beb4d2ff5b655f365242eabf938306f7a9b72bbaca0a637f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vlqm0k5k\vlqm0k5k.0.cs

Filesize
407B

MD5
cadb976f0e716a438874b3f80795984a

SHA1
69da70adcd087fb0ed9f3414522818e2adc93bfc

SHA256
53ea919ae1395f7920862279ee4961bf35ab2a07152142770a78bb0cba16727d

SHA512
cc3ab9ebe8c19f9aac5f2138fd52b42310079cc4658f2cc442fc0f291d41a04a528f16580f0563cb2386f5110b43fa135655aa844033d392000393e1c3227ac0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vlqm0k5k\vlqm0k5k.cmdline

Filesize
235B

MD5
612be469f31019fbcd09a448a0f8784b

SHA1
69772ad101f566bfdde83bbd90236941d82f4948

SHA256
ed20d14ed004f643fe704a91a0bb7d4b7e908aafce6816a8e1d4af2f55d5622b

SHA512
37518906afdfe5ba35bdfa7e4a06cba150b2788dbe1c229a26b193d9d1fe7c6230c5be6aee2db326ba0c08353a87674c4f924dd58d00e7b968589c94a27998da

Download Submit
\??\c:\Windows\System32\CSCBA5B5F121A5840BA84CA41722F7E2411.TMP

Filesize
1KB

MD5
8c85ef91c6071d33745325a8fa351c3e

SHA1
e3311ceef28823eec99699cc35be27c94eca52d2

SHA256
8db3e3a5515da1933036688a9b1918cfc3339fc687008c5325461271904b2d41

SHA512
2bb89b07fe46b1c406ed6a560e88cb2b8402b1d61bb71e10887bad661751f64f1e5317fd6c1b301ea4766785b915da31b64e0475cfe36c1f950b32915b5dab7d

Download Submit
memory/632-9-0x00000000005D0000-0x00000000005EC000-memory.dmp

Filesize
112KB

Download
memory/632-6-0x0000000000590000-0x000000000059E000-memory.dmp

Filesize
56KB

Download
memory/632-10-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/632-7-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/632-15-0x00000000005A0000-0x00000000005AC000-memory.dmp

Filesize
48KB

Download
memory/632-18-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/632-16-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/632-13-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/632-0-0x000007FEF5E13000-0x000007FEF5E14000-memory.dmp

Filesize
4KB

Download
memory/632-12-0x00000000005F0000-0x0000000000608000-memory.dmp

Filesize
96KB

Download
memory/632-4-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/632-3-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/632-2-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/632-57-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/632-1-0x00000000009E0000-0x0000000000BBA000-memory.dmp

Filesize
1.9MB

Download
memory/1396-80-0x0000000000F80000-0x000000000115A000-memory.dmp

Filesize
1.9MB

Download
memory/2368-51-0x0000000002770000-0x0000000002778000-memory.dmp

Filesize
32KB

Download
memory/2368-50-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download