dcrat | c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-11-2024 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
Size

2.4MB
MD5

b1a3e0cf075438056659b4fbaee9f80b
SHA1

73c9bd7cd9e48b7ae22b397f538933f8c49b4674
SHA256

c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b
SHA512

ba37ffb6a906736cfe490a7934b9b1481c9cfcd59044d5333bb0193cbf39ae8c0d22599a0d38bd0b124d0fbb17701f41ac46b361f1bcf9f810c33d673633461f
SSDEEP

24576:GeJKuHmdcCw7sUL/4cIG5IuUegPImmW7ayqCwviBwyLBIShZgGaiCkX4GLP1L61+:JJKFdaMcQLBxW8qiTN

Score

10^/10

dcrat infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\winlogon.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\lsass.exe\", \"C:\\Users\\Default\\Videos\\c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe\", \"C:\\Users\\Default User\\csrss.exe\""	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\winlogon.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\lsass.exe\", \"C:\\Users\\Default\\Videos\\c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\explorer.exe\""	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\winlogon.exe\""	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\winlogon.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\lsass.exe\""	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\winlogon.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\lsass.exe\", \"C:\\Users\\Default\\Videos\\c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe\""	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2700	schtasks.exe	30

DCRat payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/3020-1-0x00000000001B0000-0x000000000041E000-memory.dmp	family_dcrat_v2
behavioral1/files/0x0009000000016d5e-61.dat	family_dcrat_v2
behavioral1/memory/2924-83-0x0000000001100000-0x000000000136E000-memory.dmp	family_dcrat_v2

Executes dropped EXE 1 IoCs

Processes:

winlogon.exe

pid	Process
2924	winlogon.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\winlogon.exe\""	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\winlogon.exe\""	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\lsass.exe\""	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\""	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\lsass.exe\""	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b = "\"C:\\Users\\Default\\Videos\\c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe\""	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b = "\"C:\\Users\\Default\\Videos\\c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe\""	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\""	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\explorer.exe\""	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\explorer.exe\""	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	Process
File created	\??\c:\Windows\System32\CSCD5D76B5B9EC84971801EBD60FC1CF8A.TMP	csc.exe
File created	\??\c:\Windows\System32\dzuhbf.exe	csc.exe

Drops file in Program Files directory 5 IoCs

Processes:

c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\6203df4a6bafc7	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\winlogon.exe	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\winlogon.exe	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\cc11b995f2a76d	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
2800	schtasks.exe
3064	schtasks.exe
568	schtasks.exe
1856	schtasks.exe
776	schtasks.exe
1936	schtasks.exe
2756	schtasks.exe
1244	schtasks.exe
2832	schtasks.exe
2472	schtasks.exe
980	schtasks.exe
2880	schtasks.exe
348	schtasks.exe
592	schtasks.exe
2784	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe

pid	Process
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

winlogon.exe

pid	Process
2924	winlogon.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exewinlogon.exe

description	pid	Process
Token: SeDebugPrivilege	3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
Token: SeDebugPrivilege	2924	winlogon.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

winlogon.exe

pid	Process
2924	winlogon.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.execsc.execmd.exe

description	pid	Process	procid_target
PID 3020 wrote to memory of 2740	3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe	34
PID 3020 wrote to memory of 2740	3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe	34
PID 3020 wrote to memory of 2740	3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe	34
PID 2740 wrote to memory of 2584	2740	csc.exe	36
PID 2740 wrote to memory of 2584	2740	csc.exe	36
PID 2740 wrote to memory of 2584	2740	csc.exe	36
PID 3020 wrote to memory of 1948	3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe	49
PID 3020 wrote to memory of 1948	3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe	49
PID 3020 wrote to memory of 1948	3020	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe	49
PID 1948 wrote to memory of 1516	1948	cmd.exe	51
PID 1948 wrote to memory of 1516	1948	cmd.exe	51
PID 1948 wrote to memory of 1516	1948	cmd.exe	51
PID 1948 wrote to memory of 1836	1948	cmd.exe	52
PID 1948 wrote to memory of 1836	1948	cmd.exe	52
PID 1948 wrote to memory of 1836	1948	cmd.exe	52
PID 1948 wrote to memory of 2924	1948	cmd.exe	54
PID 1948 wrote to memory of 2924	1948	cmd.exe	54
PID 1948 wrote to memory of 2924	1948	cmd.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
"C:\Users\Admin\AppData\Local\Temp\c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tu4frwdf\tu4frwdf.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA98.tmp" "c:\Windows\System32\CSCD5D76B5B9EC84971801EBD60FC1CF8A.TMP"
    3⤵
    PID:2584
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gADSHAP3Us.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1516
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1836
- - C:\Program Files (x86)\Adobe\Reader 9.0\winlogon.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813bc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Videos\c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b" /sc ONLOGON /tr "'C:\Users\Default\Videos\c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813bc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Videos\c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\explorer.exe

Filesize
2.4MB

MD5
b1a3e0cf075438056659b4fbaee9f80b

SHA1
73c9bd7cd9e48b7ae22b397f538933f8c49b4674

SHA256
c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b

SHA512
ba37ffb6a906736cfe490a7934b9b1481c9cfcd59044d5333bb0193cbf39ae8c0d22599a0d38bd0b124d0fbb17701f41ac46b361f1bcf9f810c33d673633461f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBA98.tmp

Filesize
1KB

MD5
b6eb638e99f4853f57d1992a4a7ff715

SHA1
2c460b93ea4f326978e8254f1673c1b174895f74

SHA256
db1d6ba19d77ec3b51b676214bb48c0b0a1b6d8af3d39730086aec0a7749de26

SHA512
737e98cceaf1750b85c15896cd2666838e4b9bd3cd641cb93c3ae8b9950bb2c1f2481d58828319fa79b7770f9cba597efe00afcf545786a0e90fedb453716707

Download Submit
C:\Users\Admin\AppData\Local\Temp\gADSHAP3Us.bat

Filesize
228B

MD5
092f025d4a123c7489f25e9ee48c31b4

SHA1
6d0373ae5f908cdb889cf548a08550e8f381c381

SHA256
bbb6d9f7b45da218c36f165eafc09ed19145563c9746286d16804df36b2c6e9d

SHA512
b53597684bcf6e6f5037d2b8d8f73ebce4bce90d6095627c2cb7aa9965606827f0d248eb364957ee981ad4594894f4998a09c8594699d606340eaac0cc4315cd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tu4frwdf\tu4frwdf.0.cs

Filesize
384B

MD5
41fa29671d97b4c3591accbe5d412ab4

SHA1
e06a0e7465869944f70d756dc1da964503dd98b4

SHA256
63e26370f53ef22d5f21ec9193203b10dca7920f43ba4a675f9a7e9c3e9e6087

SHA512
0b9e597b6ab967ec19f12d87850f2a866b93cb149825c4be18125ad0057cc97d032b80fe9f6250820a14be6f4a9bd26a88f854a6cbff74e2104e5e4c01968ee2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tu4frwdf\tu4frwdf.cmdline

Filesize
235B

MD5
ca203b2ca1c5c0d7434f7257f4a75722

SHA1
d525834967a8ca796faa00ec13e67012c8d671d6

SHA256
6a6031c9951090546118abd8e677e63a95cff0bac30fe924c5ff42dcefbff090

SHA512
0a57c3e1641a9f73f630b43b6029478111900a3be609a3200922c18330bfa5f78a7bd9586b403115d3be9b00398195280f61b950eecfa96291d03f22320d9acf

Download Submit
\??\c:\Windows\System32\CSCD5D76B5B9EC84971801EBD60FC1CF8A.TMP

Filesize
1KB

MD5
9446a6998523ec187daa3d79bec9c8fa

SHA1
16c7f73aef03c8a15b4d9e8b1cfa5183caf7ca96

SHA256
f55f1bd2c1246cfb3b60cd8649fcc78b3837896bdf5132d6fc8ea0ecabf892d7

SHA512
fac3ad1b0c8663aaa94cd66b6ea0aa1848e570ff4a22b709cf2696abb76e28f42fb0d2a74316a7ad86bb6216177013c6b71ce2f4df139edc3054a03ee3467c9d

Download Submit
memory/2924-83-0x0000000001100000-0x000000000136E000-memory.dmp

Filesize
2.4MB

Download
memory/3020-30-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3020-38-0x0000000002170000-0x0000000002180000-memory.dmp

Filesize
64KB

Download
memory/3020-28-0x0000000002200000-0x0000000002212000-memory.dmp

Filesize
72KB

Download
memory/3020-26-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp

Filesize
9.9MB

Download
memory/3020-25-0x0000000000780000-0x000000000078E000-memory.dmp

Filesize
56KB

Download
memory/3020-23-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp

Filesize
9.9MB

Download
memory/3020-22-0x00000000006F0000-0x0000000000700000-memory.dmp

Filesize
64KB

Download
memory/3020-20-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp

Filesize
9.9MB

Download
memory/3020-19-0x00000000006E0000-0x00000000006F0000-memory.dmp

Filesize
64KB

Download
memory/3020-17-0x0000000002130000-0x0000000002148000-memory.dmp

Filesize
96KB

Download
memory/3020-15-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp

Filesize
9.9MB

Download
memory/3020-14-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp

Filesize
9.9MB

Download
memory/3020-13-0x00000000006D0000-0x00000000006E0000-memory.dmp

Filesize
64KB

Download
memory/3020-0-0x000007FEF5463000-0x000007FEF5464000-memory.dmp

Filesize
4KB

Download
memory/3020-32-0x0000000002220000-0x0000000002236000-memory.dmp

Filesize
88KB

Download
memory/3020-34-0x0000000002340000-0x0000000002352000-memory.dmp

Filesize
72KB

Download
memory/3020-36-0x0000000002160000-0x000000000216E000-memory.dmp

Filesize
56KB

Download
memory/3020-11-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp

Filesize
9.9MB

Download
memory/3020-40-0x0000000002360000-0x0000000002370000-memory.dmp

Filesize
64KB

Download
memory/3020-42-0x000000001AA10000-0x000000001AA6A000-memory.dmp

Filesize
360KB

Download
memory/3020-44-0x0000000002370000-0x000000000237E000-memory.dmp

Filesize
56KB

Download
memory/3020-46-0x0000000002380000-0x0000000002390000-memory.dmp

Filesize
64KB

Download
memory/3020-48-0x0000000002390000-0x000000000239E000-memory.dmp

Filesize
56KB

Download
memory/3020-50-0x000000001A8D0000-0x000000001A8E8000-memory.dmp

Filesize
96KB

Download
memory/3020-52-0x000000001AE90000-0x000000001AEDE000-memory.dmp

Filesize
312KB

Download
memory/3020-10-0x0000000000680000-0x000000000069C000-memory.dmp

Filesize
112KB

Download
memory/3020-9-0x00000000006D0000-0x00000000006EC000-memory.dmp

Filesize
112KB

Download
memory/3020-7-0x0000000000670000-0x000000000067E000-memory.dmp

Filesize
56KB

Download
memory/3020-5-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp

Filesize
9.9MB

Download
memory/3020-4-0x00000000006A0000-0x00000000006C6000-memory.dmp

Filesize
152KB

Download
memory/3020-2-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp

Filesize
9.9MB

Download
memory/3020-80-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp

Filesize
9.9MB

Download
memory/3020-1-0x00000000001B0000-0x000000000041E000-memory.dmp

Filesize
2.4MB

Download