dcrat | c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c

Analysis

max time kernel
99s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Size

1.1MB
MD5

47ca2bfa2766ff45af97abbd85cd2e6d
SHA1

248680da6aad01e8416e19ed8666ba5462de3bd3
SHA256

c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c
SHA512

60c2f234538bc55b739f7f8131ef1efe00a77cc42c5647e93c93b9408c89c1c9c20b7bfccd01e9aa84a39bb2e7c096c8b89fdf415c402b74927b7320902c44de
SSDEEP

24576:AMYPCI+q+U4cIG409ozWucypk1Nd4AX+iB/YjuM6kyh+W:ABPZ0Kr1FXHB/guM6k+f

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 32 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exec1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	pid	Process
		4232	schtasks.exe
		2716	schtasks.exe
		1680	schtasks.exe
		4852	schtasks.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\0a1fd5f707cd16		c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
		3180	schtasks.exe
		2132	schtasks.exe
		632	schtasks.exe
		3660	schtasks.exe
		4196	schtasks.exe
		2024	schtasks.exe
		4064	schtasks.exe
		1176	schtasks.exe
		2936	schtasks.exe
		3076	schtasks.exe
		3940	schtasks.exe
		2088	schtasks.exe
		1948	schtasks.exe
		4752	schtasks.exe
		2924	schtasks.exe
		1704	schtasks.exe
		4844	schtasks.exe
		1748	schtasks.exe
		388	schtasks.exe
		1428	schtasks.exe
		1000	schtasks.exe
		3656	schtasks.exe
		5116	schtasks.exe
		1208	schtasks.exe
		3284	schtasks.exe
		2768	schtasks.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe		c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 10 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\sppsvc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\upfc.exe\", \"C:\\Users\\Public\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Media Player\\unsecapp.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\sppsvc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\upfc.exe\", \"C:\\Users\\Public\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Media Player\\unsecapp.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\spoolsv.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\csrss.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\sppsvc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\upfc.exe\", \"C:\\Users\\Public\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Media Player\\unsecapp.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\spoolsv.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\csrss.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\Users\\Default User\\smss.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\sppsvc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\upfc.exe\", \"C:\\Users\\Public\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Media Player\\unsecapp.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\spoolsv.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\csrss.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\Users\\Default User\\smss.exe\", \"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\sppsvc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\upfc.exe\", \"C:\\Users\\Public\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Media Player\\unsecapp.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\spoolsv.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\csrss.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\Users\\Default User\\smss.exe\", \"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\csrss.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\sppsvc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\upfc.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\sppsvc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\upfc.exe\", \"C:\\Users\\Public\\SppExtComObj.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\sppsvc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\upfc.exe\", \"C:\\Users\\Public\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Media Player\\unsecapp.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\spoolsv.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\sppsvc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\upfc.exe\", \"C:\\Users\\Public\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Media Player\\unsecapp.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\spoolsv.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\csrss.exe\", \"C:\\Users\\Public\\smss.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\sppsvc.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4852	4992	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	4992	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3660	4992	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3284	4992	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	4992	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3180	4992	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	4992	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	4992	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3940	4992	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3076	4992	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4232	4992	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	4992	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	4992	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	4992	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	4992	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	4992	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	4992	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	4992	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	4992	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	4992	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4064	4992	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	4992	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	4992	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	4992	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	4992	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3656	4992	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	4992	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	4992	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4196	4992	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	4992	schtasks.exe	82

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/5052-1-0x0000000000E40000-0x0000000000F6E000-memory.dmp	dcrat
behavioral2/files/0x0007000000023ca4-17.dat	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe

Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid	Process
744	csrss.exe

Adds Run key to start application 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\upfc.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Users\\Public\\SppExtComObj.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files\\Windows Media Player\\unsecapp.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Public\\smss.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Public\\smss.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\upfc.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files\\Windows Media Player\\unsecapp.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\csrss.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\sppsvc.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows Multimedia Platform\\spoolsv.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows Multimedia Platform\\spoolsv.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\csrss.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Default User\\smss.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\sppsvc.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Users\\Public\\SppExtComObj.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Default User\\smss.exe\""	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe

Drops file in Program Files directory 13 IoCs

Processes:

c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe

description	ioc	Process
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\0a1fd5f707cd16	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
File created	C:\Program Files\Windows Media Player\unsecapp.exe	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
File created	C:\Program Files\Windows Multimedia Platform\spoolsv.exe	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
File created	C:\Program Files\Windows Multimedia Platform\f3b6ecef712a24	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\csrss.exe	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
File created	C:\Program Files (x86)\MSBuild\9e8d7a4ca61bd9	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
File created	C:\Program Files (x86)\MSBuild\RuntimeBroker.exe	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\ea1d8f6d871115	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
File created	C:\Program Files\Windows Media Player\29c1c3cc0f7685	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\886983d96e3d3e	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
3660	schtasks.exe
4064	schtasks.exe
1680	schtasks.exe
2132	schtasks.exe
1428	schtasks.exe
3180	schtasks.exe
1000	schtasks.exe
2024	schtasks.exe
4752	schtasks.exe
1948	schtasks.exe
2924	schtasks.exe
2716	schtasks.exe
4232	schtasks.exe
1704	schtasks.exe
3656	schtasks.exe
388	schtasks.exe
5116	schtasks.exe
4852	schtasks.exe
3284	schtasks.exe
2088	schtasks.exe
4844	schtasks.exe
632	schtasks.exe
2768	schtasks.exe
1208	schtasks.exe
1748	schtasks.exe
3940	schtasks.exe
3076	schtasks.exe
1176	schtasks.exe
2936	schtasks.exe
4196	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.execsrss.exe

pid	Process
5052	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
5052	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
5052	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
5052	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
5052	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
5052	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
5052	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
5052	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
5052	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
744	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.execsrss.exe

description	pid	Process
Token: SeDebugPrivilege	5052	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
Token: SeDebugPrivilege	744	csrss.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.execmd.exe

description	pid	Process	procid_target
PID 5052 wrote to memory of 2600	5052	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe	113
PID 5052 wrote to memory of 2600	5052	c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe	113
PID 2600 wrote to memory of 4972	2600	cmd.exe	115
PID 2600 wrote to memory of 4972	2600	cmd.exe	115
PID 2600 wrote to memory of 744	2600	cmd.exe	119
PID 2600 wrote to memory of 744	2600	cmd.exe	119

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe
"C:\Users\Admin\AppData\Local\Temp\c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JjFiJUlN8Z.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4972
- - C:\Users\Default User\csrss.exe
    "C:\Users\Default User\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\SppExtComObj.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Public\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Users\Public\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\unsecapp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Multimedia Platform\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Public\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Public\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Multimedia Platform\spoolsv.exe

Filesize
1.1MB

MD5
47ca2bfa2766ff45af97abbd85cd2e6d

SHA1
248680da6aad01e8416e19ed8666ba5462de3bd3

SHA256
c1f933dff9c16bc5dce053584b2112183b119f86de63e755fedab81d26d8d42c

SHA512
60c2f234538bc55b739f7f8131ef1efe00a77cc42c5647e93c93b9408c89c1c9c20b7bfccd01e9aa84a39bb2e7c096c8b89fdf415c402b74927b7320902c44de

Download Submit
C:\Users\Admin\AppData\Local\Temp\JjFiJUlN8Z.bat

Filesize
196B

MD5
69cb4e4fdfd8550e2503badd99fe0347

SHA1
aaf837d37618062f464fad4c5abdffb8e254d86b

SHA256
3790ce8e9e63dcf5e2542db3c7958dea84dc2763f70ad230dfa7b122d8c8a0d7

SHA512
cc920336121bfa62e77f4989d4cbb17d943d00a140ec1b9e3983b99ec78a18d5e3529e03b602442a0224998fba266cb9e8e2802c11abe38ea95bc84dfb7cab4f

Download Submit
memory/5052-0-0x00007FFCCA253000-0x00007FFCCA255000-memory.dmp

Filesize
8KB

Download
memory/5052-1-0x0000000000E40000-0x0000000000F6E000-memory.dmp

Filesize
1.2MB

Download
memory/5052-2-0x00007FFCCA250000-0x00007FFCCAD11000-memory.dmp

Filesize
10.8MB

Download
memory/5052-3-0x0000000001870000-0x000000000188C000-memory.dmp

Filesize
112KB

Download
memory/5052-4-0x000000001BB00000-0x000000001BB50000-memory.dmp

Filesize
320KB

Download
memory/5052-5-0x0000000003190000-0x00000000031A2000-memory.dmp

Filesize
72KB

Download
memory/5052-6-0x000000001C8B0000-0x000000001CDD8000-memory.dmp

Filesize
5.2MB

Download
memory/5052-7-0x00000000031C0000-0x00000000031CE000-memory.dmp

Filesize
56KB

Download
memory/5052-8-0x000000001BAB0000-0x000000001BAB8000-memory.dmp

Filesize
32KB

Download
memory/5052-35-0x00007FFCCA250000-0x00007FFCCAD11000-memory.dmp

Filesize
10.8MB

Download