dcrat | 30e973ae2b2420c2506000813d5fc3fb12c4bedc3595b00b097840b597018df9

Analysis

max time kernel
336s
max time network
335s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
27-11-2024 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FATALITY CRACK.rar
Size

2.7MB
MD5

eb91852ed7ae328ed294a75c56582481
SHA1

7d980b6789e74998fd1b906dfb7eda7e3495a127
SHA256

30e973ae2b2420c2506000813d5fc3fb12c4bedc3595b00b097840b597018df9
SHA512

245d39ff89011ea50f42f1098c459349add3a21f8db7d55ddacfe4c812e68920b2a879144ed1845fc6623609cc5a4be7fb8537b0d007607fde289e0eedd89c78
SSDEEP

49152:INSopUBKz7NJ3s9WUt/py3y1VNJNwDn7Fex0P1EDsix6Uqaj:gSopzzZPG/py3ybNgDnBex01RiA2j

Score

10^/10

dcrat discovery infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\AccountPictures\\Registry.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\AccountPictures\\Registry.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\AccountPictures\\Registry.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\images\\wininit.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\AccountPictures\\Registry.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\images\\wininit.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\RuntimeBroker.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\AccountPictures\\Registry.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\images\\wininit.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\RuntimeBroker.exe\", \"C:\\Recovery\\OEM\\System.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\AccountPictures\\Registry.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\images\\wininit.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\RuntimeBroker.exe\", \"C:\\Recovery\\OEM\\System.exe\", \"C:\\bridgeHypercomComponentHost\\mscontainerWindll.exe\""	mscontainerWindll.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3092	3244	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	3244	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	3244	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	3244	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3720	3244	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	3244	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3760	3244	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	3244	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	64	3244	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	3244	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	3244	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	3244	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	3244	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3152	3244	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	3244	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	3244	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	3244	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4328	3244	schtasks.exe	84

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	mscontainerWindll.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	loader.exe

Executes dropped EXE 6 IoCs

pid	Process
3820	loader.exe
2724	mscontainerWindll.exe
3460	loader.exe
3008	mscontainerWindll.exe
2040	mscontainerWindll.exe
1780	wininit.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Internet Explorer\\images\\wininit.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Internet Explorer\\images\\wininit.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\MSBuild\\Microsoft\\RuntimeBroker.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\OEM\\System.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mscontainerWindll = "\"C:\\bridgeHypercomComponentHost\\mscontainerWindll.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Users\\Public\\AccountPictures\\Registry.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mscontainerWindll = "\"C:\\bridgeHypercomComponentHost\\mscontainerWindll.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Users\\Public\\AccountPictures\\Registry.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\MSBuild\\Microsoft\\RuntimeBroker.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\OEM\\System.exe\""	mscontainerWindll.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC255624D2E6394333BCFBF914739A4A8.TMP	csc.exe
File created	\??\c:\Windows\System32\mh5keo.exe	csc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
3820	loader.exe
3820	loader.exe
3460	loader.exe
3460	loader.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\MSBuild\Microsoft\RuntimeBroker.exe	mscontainerWindll.exe
File created	C:\Program Files\MSBuild\Microsoft\9e8d7a4ca61bd9	mscontainerWindll.exe
File created	C:\Program Files (x86)\Internet Explorer\images\wininit.exe	mscontainerWindll.exe
File created	C:\Program Files (x86)\Internet Explorer\images\56085415360792	mscontainerWindll.exe
File created	C:\Program Files (x86)\Windows Portable Devices\csrss.exe	mscontainerWindll.exe
File created	C:\Program Files (x86)\Windows Portable Devices\886983d96e3d3e	mscontainerWindll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings	loader.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings	loader.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings	mscontainerWindll.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4012	schtasks.exe
436	schtasks.exe
4264	schtasks.exe
3092	schtasks.exe
64	schtasks.exe
4544	schtasks.exe
3152	schtasks.exe
4432	schtasks.exe
4328	schtasks.exe
1612	schtasks.exe
2728	schtasks.exe
4496	schtasks.exe
1156	schtasks.exe
3720	schtasks.exe
3760	schtasks.exe
2908	schtasks.exe
1864	schtasks.exe
1172	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3820	loader.exe
3820	loader.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe
2724	mscontainerWindll.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
636	7zFM.exe
4332	taskmgr.exe
3008	mscontainerWindll.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeRestorePrivilege	636	7zFM.exe
Token: 35	636	7zFM.exe
Token: SeSecurityPrivilege	636	7zFM.exe
Token: SeDebugPrivilege	2724	mscontainerWindll.exe
Token: SeDebugPrivilege	3008	mscontainerWindll.exe
Token: SeDebugPrivilege	4332	taskmgr.exe
Token: SeSystemProfilePrivilege	4332	taskmgr.exe
Token: SeCreateGlobalPrivilege	4332	taskmgr.exe
Token: SeDebugPrivilege	2040	mscontainerWindll.exe
Token: SeDebugPrivilege	1780	wininit.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
636	7zFM.exe
636	7zFM.exe
636	7zFM.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe
4332	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3820	loader.exe
3460	loader.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3820 wrote to memory of 912	3820	loader.exe	94
PID 3820 wrote to memory of 912	3820	loader.exe	94
PID 3820 wrote to memory of 912	3820	loader.exe	94
PID 912 wrote to memory of 3644	912	WScript.exe	96
PID 912 wrote to memory of 3644	912	WScript.exe	96
PID 912 wrote to memory of 3644	912	WScript.exe	96
PID 3644 wrote to memory of 2724	3644	cmd.exe	98
PID 3644 wrote to memory of 2724	3644	cmd.exe	98
PID 2724 wrote to memory of 680	2724	mscontainerWindll.exe	102
PID 2724 wrote to memory of 680	2724	mscontainerWindll.exe	102
PID 680 wrote to memory of 552	680	csc.exe	104
PID 680 wrote to memory of 552	680	csc.exe	104
PID 2724 wrote to memory of 4732	2724	mscontainerWindll.exe	120
PID 2724 wrote to memory of 4732	2724	mscontainerWindll.exe	120
PID 4732 wrote to memory of 4004	4732	cmd.exe	122
PID 4732 wrote to memory of 4004	4732	cmd.exe	122
PID 4732 wrote to memory of 4984	4732	cmd.exe	123
PID 4732 wrote to memory of 4984	4732	cmd.exe	123
PID 3460 wrote to memory of 3392	3460	loader.exe	125
PID 3460 wrote to memory of 3392	3460	loader.exe	125
PID 3460 wrote to memory of 3392	3460	loader.exe	125
PID 4732 wrote to memory of 3008	4732	cmd.exe	126
PID 4732 wrote to memory of 3008	4732	cmd.exe	126
PID 3392 wrote to memory of 228	3392	WScript.exe	128
PID 3392 wrote to memory of 228	3392	WScript.exe	128
PID 3392 wrote to memory of 228	3392	WScript.exe	128
PID 228 wrote to memory of 2040	228	cmd.exe	130
PID 228 wrote to memory of 2040	228	cmd.exe	130

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\FATALITY CRACK.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:636

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4908

C:\Users\Admin\Desktop\loader.exe
"C:\Users\Admin\Desktop\loader.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3820
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\bridgeHypercomComponentHost\u95boq3b7HFvqr.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\bridgeHypercomComponentHost\AAJff1lG8RICXs2A4EYTaC5p7dZ23zLFBkqYwYWng.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3644
  - - C:\bridgeHypercomComponentHost\mscontainerWindll.exe
      "C:\bridgeHypercomComponentHost/mscontainerWindll.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nws13ozb\nws13ozb.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:680
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES600D.tmp" "c:\Windows\System32\CSC255624D2E6394333BCFBF914739A4A8.TMP"
        6⤵
        
        PID:552
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4OLUxIQ9ql.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4732
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4004
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4984
      - C:\bridgeHypercomComponentHost\mscontainerWindll.exe
        
        "C:\bridgeHypercomComponentHost\mscontainerWindll.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ИНСТРУКЦИЯ.txt
1⤵
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Users\Public\AccountPictures\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Users\Public\AccountPictures\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\images\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\images\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\images\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:64

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\OEM\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\OEM\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\OEM\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mscontainerWindllm" /sc MINUTE /mo 12 /tr "'C:\bridgeHypercomComponentHost\mscontainerWindll.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mscontainerWindll" /sc ONLOGON /tr "'C:\bridgeHypercomComponentHost\mscontainerWindll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mscontainerWindllm" /sc MINUTE /mo 14 /tr "'C:\bridgeHypercomComponentHost\mscontainerWindll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4328

C:\Users\Admin\Desktop\loader.exe
"C:\Users\Admin\Desktop\loader.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\bridgeHypercomComponentHost\u95boq3b7HFvqr.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\bridgeHypercomComponentHost\AAJff1lG8RICXs2A4EYTaC5p7dZ23zLFBkqYwYWng.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:228
  - - C:\bridgeHypercomComponentHost\mscontainerWindll.exe
      "C:\bridgeHypercomComponentHost/mscontainerWindll.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2040

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4332

C:\Program Files (x86)\Internet Explorer\images\wininit.exe
"C:\Program Files (x86)\Internet Explorer\images\wininit.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\mscontainerWindll.exe.log

Filesize
1KB

MD5
3472240ba9018b36cebbb3fa4d9ecde2

SHA1
fa7d94af70df8bd1719c25cc1485c093354e3cb6

SHA256
4ff5eaa183765d37205065b36b4212117fe7cc93216a5cdc88649d8943b4f449

SHA512
4ac5bedcf0e686dd86e82ca4dc02f6ec0b5a3a5dd06056856dee7ef230f3abbf37e8237a08f3d9d31e24bf9c8a21eca04a824846a2f5bd50d6defd470a53db3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4OLUxIQ9ql.bat

Filesize
228B

MD5
cfb07e1ead6e4f6a8eb7b2b275cab2cc

SHA1
94555c63bb860f9f08263a057880a33b34b1472f

SHA256
252880ae958a7545ce60e5db52a74f5282cd829a537acde63442e69e1a64340e

SHA512
d65dc524e2f3701bc430d8b9f7cbb1eb5be1a5faf0023cfe8cd411ed651987d211587092793609a100a2526f442f6a8b8693ae4e50135ce872e468b4000f4249

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES600D.tmp

Filesize
1KB

MD5
9708df454b5b16b7de34e247779974c7

SHA1
7b4c312a934126cd4472eb281c9ed95e1af75ecd

SHA256
de3ad11487880f4fbb24379ea5ce1c2f0ca0ef53c502041388b125b78580fb3a

SHA512
e021e76dce602bf19f7ae73fa444de6b1283bf66942be34df0ec42c5acca9da07392bd9571894abb6622cd46c07791fba54b38850fe130b7abb7f3095f510e41

Download Submit
C:\Users\Admin\Desktop\loader.exe

Filesize
3.2MB

MD5
8faa9e2bbcb1f98cb3971b94f9feda41

SHA1
ab03732cdbc58c752057f2dd3c39e164e222476f

SHA256
026825e9ca81fe52b1833a5e2c838336bc645778da89ff5c266c65c9d750a490

SHA512
5a660bddaf58c15503861663d018e3444c40fc9a62cc2953a60e41c78561014db4911d4f1da80f70a492d6ff912765d93e08c3c39fce921580b034dfcc47d358

Download Submit
C:\Users\Admin\Desktop\ИНСТРУКЦИЯ.txt

Filesize
153B

MD5
e5bf3c592fa0a8639cc9d6c3afcfe101

SHA1
4edd2164926a8726069f360a91a33725c34da48c

SHA256
bd8b97d57eb446afcdb4d046b44417daaa4380d052da59d036528b6ea9293d9d

SHA512
ca3a1fcd7b11741dd29b1244b5103f3ef7e182b312e9e237e158c87bb0e5720e19044f22e98385a8e6feb0b33ccd689cccf55756b1588151de48f28b97c761bd

Download Submit
C:\bridgeHypercomComponentHost\AAJff1lG8RICXs2A4EYTaC5p7dZ23zLFBkqYwYWng.bat

Filesize
108B

MD5
836fc705ac99bb9e9c32457cd334e13e

SHA1
ebbb2cfd6a3260e482447d1c7871391ea8c75551

SHA256
e0446f377405745b3712c210adeda645441bc9f6b987756b53aa05ed167fbf9c

SHA512
ae2915671fee13ce19947eed0733d3de5b462ca8ef55b422259814004cc51df54a1ea58a6659a36a886103e84191f93fee5d7a134a50439a81c856645f88cc90

Download Submit
C:\bridgeHypercomComponentHost\mscontainerWindll.exe

Filesize
1.9MB

MD5
5a7bf976e09d1835a65809093075a1bc

SHA1
d2de32c02c3d6e79f185b6b5f91e95144ae5a033

SHA256
20ea6e36a40896c99a0549118ac01b9508dd72b484050c9b2ce4fb5ac805a950

SHA512
60c6f582e29415186d2fef58a469a6bd87e84daf084d8705f09605f331d015abb1a825d06343a797532561915e754015692e745de21c55ed6e52cb5ba47129c6

Download Submit
C:\bridgeHypercomComponentHost\u95boq3b7HFvqr.vbe

Filesize
246B

MD5
a672021e4678a1cee46a924baa63411c

SHA1
c4c27bf73768a3cc97d070e3d560e4f45affe9b4

SHA256
65a576bed74898f83fd527be9a715aaac80609066d01e8b16a691c5287bd15b5

SHA512
ea08511f0859767abdbc080e7dcbad20bced260cfb2b58ba51cc8d48d544fb36256f56887c25763f25d799fa225674d487d6f5826f835fb8462c0c6441c64b67

Download Submit
C:\windows\system32\mh5keo.exe

Filesize
4KB

MD5
7cbeb1fc46fba2e0bf0da36bb55dae9f

SHA1
d4924ff529df7c6d98d4794f7ef8cc4ceda7d35a

SHA256
c1efe8f4f3eef8197368fc6c98825733fbd4c47398d9c37afa6cb1d9190f2ddf

SHA512
aa7a4a461848bd9bb51f8bac19616ca9159a1388d160345acbb613094661c9bf2829d9cce0b6bd84881c3bb46f4f085843adfc76e7c2b12659620589682ca56f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nws13ozb\nws13ozb.0.cs

Filesize
376B

MD5
70ef3e07381396cb616f335ba7e51728

SHA1
90a6a5ac3a553f7f523eb7559b1de23d803e305c

SHA256
6bb1dd89e138a2df6e77c61b2c9325ad42d39da22febad06d9609a981873d232

SHA512
9134a83988f950ba1893ee7af279a2796f0960f8e1799de58b2528f692b918ffa6a1990d839798a5f01136d84b71ba86da86907512c6cc5a0b7cf9ebf5349e9c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nws13ozb\nws13ozb.cmdline

Filesize
235B

MD5
41af8ea7924de3825291c6d0fba8fe92

SHA1
d58e661a13ab9777ca2d4e01d681c8241c50f6d5

SHA256
d90d0d7da370d8912b4f93cd7bacac4cde341fff91345a4dd00c4ba036be7faa

SHA512
4de582c0f274f7a728827b2a30cdbe7b7a35dc780d1d3b0f95f14dccbe69bda08503c1c0eeefa8e78ae7403ee77ae83a5137571d15e3e5d1de751dbd1dafcb2a

Download Submit
\??\c:\Windows\System32\CSC255624D2E6394333BCFBF914739A4A8.TMP

Filesize
1KB

MD5
97a3a4ab7f63bb87648297531ccc5bf0

SHA1
9d175b8d02181c4284f0e14f165470292d462bd9

SHA256
f052e2c0a4308c072c22e2e8daa7734fc0a64885c57d2009a28160f7cddc3cc8

SHA512
154c35f3c2cac99c012d82679ff30e0e60c37140500d0c47ef788d803d8edaa1db02e4154277bc31af51cdd0e37ce00f4192c1baff3977c15a8c645140149db8

Download Submit
memory/2724-27-0x0000000001040000-0x000000000104E000-memory.dmp

Filesize
56KB

Download
memory/2724-34-0x0000000002950000-0x000000000295E000-memory.dmp

Filesize
56KB

Download
memory/2724-32-0x000000001C190000-0x000000001C1A8000-memory.dmp

Filesize
96KB

Download
memory/2724-30-0x000000001C1E0000-0x000000001C230000-memory.dmp

Filesize
320KB

Download
memory/2724-29-0x000000001B1A0000-0x000000001B1BC000-memory.dmp

Filesize
112KB

Download
memory/2724-25-0x0000000000480000-0x0000000000666000-memory.dmp

Filesize
1.9MB

Download
memory/2724-63-0x000000001C590000-0x000000001C5DE000-memory.dmp

Filesize
312KB

Download
memory/2724-36-0x0000000002960000-0x000000000296C000-memory.dmp

Filesize
48KB

Download
memory/3008-91-0x000000001E220000-0x000000001E26E000-memory.dmp

Filesize
312KB

Download
memory/3008-90-0x000000001BAD0000-0x000000001BAD8000-memory.dmp

Filesize
32KB

Download
memory/3460-67-0x0000000000220000-0x0000000000616000-memory.dmp

Filesize
4.0MB

Download
memory/3820-5-0x0000000000220000-0x0000000000616000-memory.dmp

Filesize
4.0MB

Download
memory/3820-19-0x0000000000220000-0x0000000000616000-memory.dmp

Filesize
4.0MB

Download
memory/4332-77-0x00000263ADA30000-0x00000263ADA31000-memory.dmp

Filesize
4KB

Download
memory/4332-87-0x00000263ADA30000-0x00000263ADA31000-memory.dmp

Filesize
4KB

Download
memory/4332-86-0x00000263ADA30000-0x00000263ADA31000-memory.dmp

Filesize
4KB

Download
memory/4332-85-0x00000263ADA30000-0x00000263ADA31000-memory.dmp

Filesize
4KB

Download
memory/4332-84-0x00000263ADA30000-0x00000263ADA31000-memory.dmp

Filesize
4KB

Download
memory/4332-82-0x00000263ADA30000-0x00000263ADA31000-memory.dmp

Filesize
4KB

Download
memory/4332-81-0x00000263ADA30000-0x00000263ADA31000-memory.dmp

Filesize
4KB

Download
memory/4332-83-0x00000263ADA30000-0x00000263ADA31000-memory.dmp

Filesize
4KB

Download
memory/4332-76-0x00000263ADA30000-0x00000263ADA31000-memory.dmp

Filesize
4KB

Download
memory/4332-75-0x00000263ADA30000-0x00000263ADA31000-memory.dmp

Filesize
4KB

Download