dcrat | c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-11-2024 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

B1A3E0CF075438056659B4FBAEE9F80B.exe
Size

2.4MB
MD5

b1a3e0cf075438056659b4fbaee9f80b
SHA1

73c9bd7cd9e48b7ae22b397f538933f8c49b4674
SHA256

c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b
SHA512

ba37ffb6a906736cfe490a7934b9b1481c9cfcd59044d5333bb0193cbf39ae8c0d22599a0d38bd0b124d0fbb17701f41ac46b361f1bcf9f810c33d673633461f
SSDEEP

24576:GeJKuHmdcCw7sUL/4cIG5IuUegPImmW7ayqCwviBwyLBIShZgGaiCkX4GLP1L61+:JJKFdaMcQLBxW8qiTN

Score

10^/10

dcrat discovery infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\fr-FR\\B1A3E0CF075438056659B4FBAEE9F80B.exe\", \"C:\\Windows\\inf\\.NET Memory Cache 4.0\\csrss.exe\", \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\dllhost.exe\""	B1A3E0CF075438056659B4FBAEE9F80B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\fr-FR\\B1A3E0CF075438056659B4FBAEE9F80B.exe\", \"C:\\Windows\\inf\\.NET Memory Cache 4.0\\csrss.exe\", \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\dllhost.exe\", \"C:\\Windows\\SysWOW64\\ko-KR\\lsm.exe\""	B1A3E0CF075438056659B4FBAEE9F80B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\fr-FR\\B1A3E0CF075438056659B4FBAEE9F80B.exe\", \"C:\\Windows\\inf\\.NET Memory Cache 4.0\\csrss.exe\", \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\dllhost.exe\", \"C:\\Windows\\SysWOW64\\ko-KR\\lsm.exe\", \"C:\\Users\\Default User\\dwm.exe\""	B1A3E0CF075438056659B4FBAEE9F80B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\fr-FR\\B1A3E0CF075438056659B4FBAEE9F80B.exe\""	B1A3E0CF075438056659B4FBAEE9F80B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\fr-FR\\B1A3E0CF075438056659B4FBAEE9F80B.exe\", \"C:\\Windows\\inf\\.NET Memory Cache 4.0\\csrss.exe\""	B1A3E0CF075438056659B4FBAEE9F80B.exe

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2904	schtasks.exe	30

DCRat payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/764-1-0x0000000000950000-0x0000000000BBE000-memory.dmp	family_dcrat_v2
behavioral1/files/0x00080000000174a6-61.dat	family_dcrat_v2
behavioral1/memory/2068-83-0x0000000000C60000-0x0000000000ECE000-memory.dmp	family_dcrat_v2

Executes dropped EXE 1 IoCs

pid	Process
2068	dllhost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\dllhost.exe\""	B1A3E0CF075438056659B4FBAEE9F80B.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\dllhost.exe\""	B1A3E0CF075438056659B4FBAEE9F80B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\B1A3E0CF075438056659B4FBAEE9F80B = "\"C:\\Program Files\\Windows Defender\\fr-FR\\B1A3E0CF075438056659B4FBAEE9F80B.exe\""	B1A3E0CF075438056659B4FBAEE9F80B.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\inf\\.NET Memory Cache 4.0\\csrss.exe\""	B1A3E0CF075438056659B4FBAEE9F80B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\inf\\.NET Memory Cache 4.0\\csrss.exe\""	B1A3E0CF075438056659B4FBAEE9F80B.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\SysWOW64\\ko-KR\\lsm.exe\""	B1A3E0CF075438056659B4FBAEE9F80B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\SysWOW64\\ko-KR\\lsm.exe\""	B1A3E0CF075438056659B4FBAEE9F80B.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Default User\\dwm.exe\""	B1A3E0CF075438056659B4FBAEE9F80B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Default User\\dwm.exe\""	B1A3E0CF075438056659B4FBAEE9F80B.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\B1A3E0CF075438056659B4FBAEE9F80B = "\"C:\\Program Files\\Windows Defender\\fr-FR\\B1A3E0CF075438056659B4FBAEE9F80B.exe\""	B1A3E0CF075438056659B4FBAEE9F80B.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ko-KR\lsm.exe	B1A3E0CF075438056659B4FBAEE9F80B.exe
File created	C:\Windows\SysWOW64\ko-KR\101b941d020240	B1A3E0CF075438056659B4FBAEE9F80B.exe
File created	\??\c:\Windows\System32\CSC9782DDFFF1FB4C7083CED340A225AC19.TMP	csc.exe
File created	\??\c:\Windows\System32\1woi1z.exe	csc.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Defender\fr-FR\B1A3E0CF075438056659B4FBAEE9F80B.exe	B1A3E0CF075438056659B4FBAEE9F80B.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\B1A3E0CF075438056659B4FBAEE9F80B.exe	B1A3E0CF075438056659B4FBAEE9F80B.exe
File created	C:\Program Files\Windows Defender\fr-FR\2ca3ea17a77ffe	B1A3E0CF075438056659B4FBAEE9F80B.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\inf\.NET Memory Cache 4.0\csrss.exe	B1A3E0CF075438056659B4FBAEE9F80B.exe
File created	C:\Windows\inf\.NET Memory Cache 4.0\886983d96e3d3e	B1A3E0CF075438056659B4FBAEE9F80B.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1988	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1988	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1868	schtasks.exe
1664	schtasks.exe
1880	schtasks.exe
1996	schtasks.exe
1624	schtasks.exe
2716	schtasks.exe
1720	schtasks.exe
1348	schtasks.exe
2820	schtasks.exe
660	schtasks.exe
1980	schtasks.exe
1544	schtasks.exe
2588	schtasks.exe
668	schtasks.exe
1676	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe
764	B1A3E0CF075438056659B4FBAEE9F80B.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	764	B1A3E0CF075438056659B4FBAEE9F80B.exe
Token: SeDebugPrivilege	2068	dllhost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2068	dllhost.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 2616	764	B1A3E0CF075438056659B4FBAEE9F80B.exe	34
PID 764 wrote to memory of 2616	764	B1A3E0CF075438056659B4FBAEE9F80B.exe	34
PID 764 wrote to memory of 2616	764	B1A3E0CF075438056659B4FBAEE9F80B.exe	34
PID 2616 wrote to memory of 2736	2616	csc.exe	36
PID 2616 wrote to memory of 2736	2616	csc.exe	36
PID 2616 wrote to memory of 2736	2616	csc.exe	36
PID 764 wrote to memory of 1388	764	B1A3E0CF075438056659B4FBAEE9F80B.exe	49
PID 764 wrote to memory of 1388	764	B1A3E0CF075438056659B4FBAEE9F80B.exe	49
PID 764 wrote to memory of 1388	764	B1A3E0CF075438056659B4FBAEE9F80B.exe	49
PID 1388 wrote to memory of 1832	1388	cmd.exe	51
PID 1388 wrote to memory of 1832	1388	cmd.exe	51
PID 1388 wrote to memory of 1832	1388	cmd.exe	51
PID 1388 wrote to memory of 1988	1388	cmd.exe	52
PID 1388 wrote to memory of 1988	1388	cmd.exe	52
PID 1388 wrote to memory of 1988	1388	cmd.exe	52
PID 1388 wrote to memory of 2068	1388	cmd.exe	54
PID 1388 wrote to memory of 2068	1388	cmd.exe	54
PID 1388 wrote to memory of 2068	1388	cmd.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\B1A3E0CF075438056659B4FBAEE9F80B.exe
"C:\Users\Admin\AppData\Local\Temp\B1A3E0CF075438056659B4FBAEE9F80B.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:764
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\au2tresz\au2tresz.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCABE.tmp" "c:\Windows\System32\CSC9782DDFFF1FB4C7083CED340A225AC19.TMP"
    3⤵
    PID:2736
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\52cE5k8D4g.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1832
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1988
- - C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe
    "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "B1A3E0CF075438056659B4FBAEE9F80BB" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\fr-FR\B1A3E0CF075438056659B4FBAEE9F80B.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "B1A3E0CF075438056659B4FBAEE9F80B" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\B1A3E0CF075438056659B4FBAEE9F80B.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "B1A3E0CF075438056659B4FBAEE9F80BB" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\fr-FR\B1A3E0CF075438056659B4FBAEE9F80B.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\inf\.NET Memory Cache 4.0\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\inf\.NET Memory Cache 4.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\inf\.NET Memory Cache 4.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\SysWOW64\ko-KR\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\SysWOW64\ko-KR\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Windows\SysWOW64\ko-KR\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\52cE5k8D4g.bat

Filesize
188B

MD5
83dce8155cf6c805dd55ceef8a22eee2

SHA1
ec536748c2c51102a33f7acbaaee7f3abd6e0088

SHA256
d2a89e270d533ed2d5c771e5903b8614cebb0aab6eb2cbaa398046aebf96786f

SHA512
8d725e00eaae6d3377844883142e8071da21cabef8cfac1ba0c6c160d726f27d2aa450f1e5add1794a9cee75ad121e573d4f66563b77f1bcda7d43e4b00aa6ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCABE.tmp

Filesize
1KB

MD5
fa425739a61beab26750a65b3e4f8312

SHA1
9e7c9ce251885fa1ab621db3fab461cee3f777b1

SHA256
8966497eee4a7d8297405ef95d2181b2de4cde507ad1fc03db1c9150ec9237c5

SHA512
f53223cd1be64d2180b77865ef0168b55db8130f76d9b66e81571632b4a2f91fa950f8142be0585d87c591be618bb13dbd817117e3926f1da91f73a390a3337b

Download Submit
C:\Users\Default\dwm.exe

Filesize
2.4MB

MD5
b1a3e0cf075438056659b4fbaee9f80b

SHA1
73c9bd7cd9e48b7ae22b397f538933f8c49b4674

SHA256
c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b

SHA512
ba37ffb6a906736cfe490a7934b9b1481c9cfcd59044d5333bb0193cbf39ae8c0d22599a0d38bd0b124d0fbb17701f41ac46b361f1bcf9f810c33d673633461f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\au2tresz\au2tresz.0.cs

Filesize
408B

MD5
0da2e0240cb2bc53d181dc0b23d43f95

SHA1
536be097fa90304157bacc2f4c3a30f90ccb90dd

SHA256
475a3822beaab9ffd711823e2040b3bbbe2f557758587a511de9c74ba678e580

SHA512
5ba8e3d849e825545d5455e5b22da7bb844e0af1a6ffb8b81d2fb6154b6f63b7856c6ede8780b963400c247ff5623b6e535dba30bb65f0e3a0d3c5fad7acb9c3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\au2tresz\au2tresz.cmdline

Filesize
235B

MD5
f3c9f9b9693adde6841ded59e4cfc0bf

SHA1
8123a2ef24dfa5c00e5ff5ccf2ab088816e74606

SHA256
f0f871c39d315cb7c38cf0e255b853dd5a3dc9d4dcb67417c4d9d472177f49b6

SHA512
5e059106f39c59ff131dd532530b6728a96149a51c10c7cf8da9129e20cc11b01a64b6ae04bf6361cf039421a74743ce5b82a9a8233a2954372e918426ac1d14

Download Submit
\??\c:\Windows\System32\CSC9782DDFFF1FB4C7083CED340A225AC19.TMP

Filesize
1KB

MD5
dcd286f3a69cfd0292a8edbc946f8553

SHA1
4d347ac1e8c1d75fc139878f5646d3a0b083ef17

SHA256
29e03364271673f4b388131b7773d016df859bb0b1c5e6c3ad6914a632600596

SHA512
4b9546033bd4957263854fbb0a87aa1d57ce3afbce7bf03b12b05b78f97c5a27c52c1d73e34b6a5ba2c395e26ec9c474a32609441b99cf78ea707113fca96f77

Download Submit
memory/764-33-0x0000000000550000-0x000000000055E000-memory.dmp

Filesize
56KB

Download
memory/764-38-0x00000000008E0000-0x00000000008F0000-memory.dmp

Filesize
64KB

Download
memory/764-11-0x000007FEF5210000-0x000007FEF5BFC000-memory.dmp

Filesize
9.9MB

Download
memory/764-13-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/764-15-0x0000000000510000-0x0000000000528000-memory.dmp

Filesize
96KB

Download
memory/764-17-0x00000000004E0000-0x00000000004F0000-memory.dmp

Filesize
64KB

Download
memory/764-19-0x00000000004F0000-0x0000000000500000-memory.dmp

Filesize
64KB

Download
memory/764-20-0x000007FEF5210000-0x000007FEF5BFC000-memory.dmp

Filesize
9.9MB

Download
memory/764-22-0x0000000000530000-0x000000000053E000-memory.dmp

Filesize
56KB

Download
memory/764-24-0x0000000000880000-0x0000000000892000-memory.dmp

Filesize
72KB

Download
memory/764-26-0x0000000000540000-0x0000000000550000-memory.dmp

Filesize
64KB

Download
memory/764-28-0x00000000008A0000-0x00000000008B6000-memory.dmp

Filesize
88KB

Download
memory/764-29-0x000007FEF5210000-0x000007FEF5BFC000-memory.dmp

Filesize
9.9MB

Download
memory/764-31-0x00000000008C0000-0x00000000008D2000-memory.dmp

Filesize
72KB

Download
memory/764-0-0x000007FEF5213000-0x000007FEF5214000-memory.dmp

Filesize
4KB

Download
memory/764-34-0x000007FEF5210000-0x000007FEF5BFC000-memory.dmp

Filesize
9.9MB

Download
memory/764-36-0x0000000000560000-0x0000000000570000-memory.dmp

Filesize
64KB

Download
memory/764-10-0x0000000000300000-0x000000000031C000-memory.dmp

Filesize
112KB

Download
memory/764-39-0x000007FEF5210000-0x000007FEF5BFC000-memory.dmp

Filesize
9.9MB

Download
memory/764-41-0x0000000002250000-0x00000000022AA000-memory.dmp

Filesize
360KB

Download
memory/764-43-0x00000000008F0000-0x00000000008FE000-memory.dmp

Filesize
56KB

Download
memory/764-45-0x0000000000900000-0x0000000000910000-memory.dmp

Filesize
64KB

Download
memory/764-47-0x0000000000910000-0x000000000091E000-memory.dmp

Filesize
56KB

Download
memory/764-49-0x0000000002330000-0x0000000002348000-memory.dmp

Filesize
96KB

Download
memory/764-50-0x000007FEF5210000-0x000007FEF5BFC000-memory.dmp

Filesize
9.9MB

Download
memory/764-52-0x00000000024C0000-0x000000000250E000-memory.dmp

Filesize
312KB

Download
memory/764-9-0x0000000000470000-0x000000000048C000-memory.dmp

Filesize
112KB

Download
memory/764-7-0x00000000002F0000-0x00000000002FE000-memory.dmp

Filesize
56KB

Download
memory/764-5-0x000007FEF5210000-0x000007FEF5BFC000-memory.dmp

Filesize
9.9MB

Download
memory/764-4-0x0000000000320000-0x0000000000346000-memory.dmp

Filesize
152KB

Download
memory/764-2-0x000007FEF5210000-0x000007FEF5BFC000-memory.dmp

Filesize
9.9MB

Download
memory/764-79-0x000007FEF5210000-0x000007FEF5BFC000-memory.dmp

Filesize
9.9MB

Download
memory/764-1-0x0000000000950000-0x0000000000BBE000-memory.dmp

Filesize
2.4MB

Download
memory/2068-83-0x0000000000C60000-0x0000000000ECE000-memory.dmp

Filesize
2.4MB

Download