dcrat | e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
30-11-2024 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
Size

1.8MB
MD5

382eaedc34bfc15b7e749fb8a0cff600
SHA1

d8729997725a187120ee95e1d6068586a13ab678
SHA256

e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a
SHA512

f2be10566728f10a1396abf3115a01d98a5b06d18b94e84ecb6fbb012f1ad3ad588be84f09ceafa55bc9fd65a7e6763c68ca67596141c750ae54a2bebfc5c16b
SSDEEP

24576:nfNh6iTrBgSq+kdkpupwocpF4jGdWWfWanontd7ksYKtAwqgKchGGqGLk6kIv/D5:f3/kGAwaCYO4ngs7wg8UkcX

Score

10^/10

dcrat discovery execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\winlogon.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\winlogon.exe\", \"C:\\Program Files\\Mozilla Firefox\\csrss.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\winlogon.exe\", \"C:\\Program Files\\Mozilla Firefox\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\winlogon.exe\", \"C:\\Program Files\\Mozilla Firefox\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\", \"C:\\Windows\\ServiceProfiles\\LocalService\\Desktop\\csrss.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\winlogon.exe\", \"C:\\Program Files\\Mozilla Firefox\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\", \"C:\\Windows\\ServiceProfiles\\LocalService\\Desktop\\csrss.exe\", \"C:\\Users\\Default User\\services.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\winlogon.exe\", \"C:\\Program Files\\Mozilla Firefox\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\", \"C:\\Windows\\ServiceProfiles\\LocalService\\Desktop\\csrss.exe\", \"C:\\Users\\Default User\\services.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2772	schtasks.exe	31

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2392	powershell.exe
2200	powershell.exe
2168	powershell.exe
2144	powershell.exe
2068	powershell.exe
2108	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
876	csrss.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\winlogon.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Mozilla Firefox\\csrss.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\ServiceProfiles\\LocalService\\Desktop\\csrss.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Default User\\services.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Default User\\services.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\winlogon.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Mozilla Firefox\\csrss.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\ServiceProfiles\\LocalService\\Desktop\\csrss.exe\""	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCADAFE7CB11714333922B35E62D4CC926.TMP	csc.exe
File created	\??\c:\Windows\System32\9w3j6e.exe	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\csrss.exe	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
File created	C:\Program Files (x86)\Windows Portable Devices\886983d96e3d3e	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
File created	C:\Program Files\Mozilla Firefox\csrss.exe	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
File created	C:\Program Files\Mozilla Firefox\886983d96e3d3e	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\Desktop\csrss.exe	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
File created	C:\Windows\ServiceProfiles\LocalService\Desktop\886983d96e3d3e	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2404	schtasks.exe
2848	schtasks.exe
2440	schtasks.exe
1044	schtasks.exe
2676	schtasks.exe
1236	schtasks.exe
2700	schtasks.exe
2832	schtasks.exe
1100	schtasks.exe
2660	schtasks.exe
2420	schtasks.exe
2612	schtasks.exe
3028	schtasks.exe
2840	schtasks.exe
1988	schtasks.exe
1928	schtasks.exe
2120	schtasks.exe
2432	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	876	csrss.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2312	2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe	35
PID 2732 wrote to memory of 2312	2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe	35
PID 2732 wrote to memory of 2312	2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe	35
PID 2312 wrote to memory of 2820	2312	csc.exe	37
PID 2312 wrote to memory of 2820	2312	csc.exe	37
PID 2312 wrote to memory of 2820	2312	csc.exe	37
PID 2732 wrote to memory of 2068	2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe	53
PID 2732 wrote to memory of 2068	2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe	53
PID 2732 wrote to memory of 2068	2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe	53
PID 2732 wrote to memory of 2108	2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe	54
PID 2732 wrote to memory of 2108	2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe	54
PID 2732 wrote to memory of 2108	2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe	54
PID 2732 wrote to memory of 2392	2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe	55
PID 2732 wrote to memory of 2392	2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe	55
PID 2732 wrote to memory of 2392	2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe	55
PID 2732 wrote to memory of 2200	2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe	56
PID 2732 wrote to memory of 2200	2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe	56
PID 2732 wrote to memory of 2200	2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe	56
PID 2732 wrote to memory of 2168	2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe	57
PID 2732 wrote to memory of 2168	2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe	57
PID 2732 wrote to memory of 2168	2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe	57
PID 2732 wrote to memory of 2144	2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe	58
PID 2732 wrote to memory of 2144	2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe	58
PID 2732 wrote to memory of 2144	2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe	58
PID 2732 wrote to memory of 436	2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe	65
PID 2732 wrote to memory of 436	2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe	65
PID 2732 wrote to memory of 436	2732	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe	65
PID 436 wrote to memory of 1496	436	cmd.exe	67
PID 436 wrote to memory of 1496	436	cmd.exe	67
PID 436 wrote to memory of 1496	436	cmd.exe	67
PID 436 wrote to memory of 2060	436	cmd.exe	68
PID 436 wrote to memory of 2060	436	cmd.exe	68
PID 436 wrote to memory of 2060	436	cmd.exe	68
PID 436 wrote to memory of 876	436	cmd.exe	69
PID 436 wrote to memory of 876	436	cmd.exe	69
PID 436 wrote to memory of 876	436	cmd.exe	69

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe
"C:\Users\Admin\AppData\Local\Temp\e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\25033rme\25033rme.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD81.tmp" "c:\Windows\System32\CSCADAFE7CB11714333922B35E62D4CC926.TMP"
    3⤵
    PID:2820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\LocalService\Desktop\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2144
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fjdb6Ev5FT.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1496
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2060
- - C:\Program Files\Mozilla Firefox\csrss.exe
    "C:\Program Files\Mozilla Firefox\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\ServiceProfiles\LocalService\Desktop\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\Desktop\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\ServiceProfiles\LocalService\Desktop\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aNe" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aNe" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847aN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe

Filesize
1.8MB

MD5
382eaedc34bfc15b7e749fb8a0cff600

SHA1
d8729997725a187120ee95e1d6068586a13ab678

SHA256
e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a

SHA512
f2be10566728f10a1396abf3115a01d98a5b06d18b94e84ecb6fbb012f1ad3ad588be84f09ceafa55bc9fd65a7e6763c68ca67596141c750ae54a2bebfc5c16b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFD81.tmp

Filesize
1KB

MD5
928e82d2059aceb6b93cf83ac62e9fee

SHA1
74baa18e5dff8d976157ed3a41fc4b3ed255ece7

SHA256
64db97e1d682f172cf4d193ac66df2a8a24d0f2dce18920a4142cdd7956a41ff

SHA512
ba8167cb2b733b4333f7c90b9b35bc5aae0dae7702c86df8db92705e3d62d302b27586b1dacdd3d9e970b77b170e35799c08d772023e03bebb0726f6e7730893

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjdb6Ev5FT.bat

Filesize
218B

MD5
a231c8806827286634271b6c3d288461

SHA1
3e26dcf1423b37efae6f4e7f8c1e4fe1247267db

SHA256
43b489893f231e5e67d19aae67c7d7bdc10e834a432c3b1184700b6cd46b43e8

SHA512
ead58949b20660ce4346c3b7a81bf1af92d87d652094b9145fc48ff9f2ffc1a3c68c40ec6f4f087a13e26669810fff17b1973bb3f4d48eb5873949fa6a8c0b4e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bbd523e9d7ad5a0e2841101d55401c69

SHA1
aa2b17d335bdef8e588aeacbd53fbc0b7d343339

SHA256
9da2136119f85a947de8a13d29b5a95ebaffd11c9056f005321fa2c45578d823

SHA512
970cb5896aa54ee7088329e517e3ed81a7c0954b7ee5370470424fe75647268c606eaa360308d05baf320cdfb07b431a57453378f3704763e5577617e2d4ed8a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\25033rme\25033rme.0.cs

Filesize
393B

MD5
d8e9aebce8d9cddb9d6d73c14e93b64d

SHA1
b491c41ef9e0cadcfe540b2bce70a0322c6164f4

SHA256
6126e89657fea97f66fc21da298602f13441cf9bf03fd2ab2348e65c42cfee3b

SHA512
5e2287203b3f82a9da1c223a049578bc5520e01f0dbeffd28899a6da0f71740aa7e034ee674512c6801388446bed3f69764520a5e25091babaef734ed11b0a19

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\25033rme\25033rme.cmdline

Filesize
235B

MD5
3efdd013f5fb9c49c649842511279faa

SHA1
d6a8f3d9bf4cf7272b0bab2b2765db7acd6fa42b

SHA256
2d7fdfb017d1e3f00fdce5123704cefd261327b88894d5f8af17cd332f45e088

SHA512
184e12e931f1a39760420e0627f3a9e84b6afa99e97dd32759604241f0b1841111230678d5bfab68e58a306b9f27b194273c343aeb1dac98c90a7197e5d2a8fa

Download Submit
\??\c:\Windows\System32\CSCADAFE7CB11714333922B35E62D4CC926.TMP

Filesize
1KB

MD5
70046c6c63d509bb29450ef32b59dda3

SHA1
26802b73997ee22a7cd3d07ae77016969603cf00

SHA256
dd0e7409cd9412eafdd8f881d6094fb539ad19c7a54d76043de655a00f80f5d0

SHA512
d7b8d4ed84b8e1f5e416c378872bb7bc6d884341f0aa76f2c3b664f1ad0324a2d749c51718f3940d61663d152c35ba241ce0def03a002c6423a4d0957866c96f

Download Submit
memory/876-80-0x0000000000110000-0x00000000002EA000-memory.dmp

Filesize
1.9MB

Download
memory/2108-51-0x0000000002220000-0x0000000002228000-memory.dmp

Filesize
32KB

Download
memory/2108-50-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download
memory/2732-6-0x0000000000180000-0x000000000018E000-memory.dmp

Filesize
56KB

Download
memory/2732-4-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download
memory/2732-2-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download
memory/2732-12-0x00000000003B0000-0x00000000003C8000-memory.dmp

Filesize
96KB

Download
memory/2732-31-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download
memory/2732-0-0x000007FEF5823000-0x000007FEF5824000-memory.dmp

Filesize
4KB

Download
memory/2732-10-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download
memory/2732-7-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download
memory/2732-14-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/2732-9-0x0000000000190000-0x00000000001AC000-memory.dmp

Filesize
112KB

Download
memory/2732-3-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download
memory/2732-33-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download
memory/2732-1-0x0000000001230000-0x000000000140A000-memory.dmp

Filesize
1.9MB

Download
memory/2732-72-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download
memory/2732-15-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download