dcrat | c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2024 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
Size

2.4MB
MD5

b1a3e0cf075438056659b4fbaee9f80b
SHA1

73c9bd7cd9e48b7ae22b397f538933f8c49b4674
SHA256

c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b
SHA512

ba37ffb6a906736cfe490a7934b9b1481c9cfcd59044d5333bb0193cbf39ae8c0d22599a0d38bd0b124d0fbb17701f41ac46b361f1bcf9f810c33d673633461f
SSDEEP

24576:GeJKuHmdcCw7sUL/4cIG5IuUegPImmW7ayqCwviBwyLBIShZgGaiCkX4GLP1L61+:JJKFdaMcQLBxW8qiTN

Score

10^/10

dcrat discovery infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Links\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\csrss.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\dwm.exe\", \"C:\\Windows\\PolicyDefinitions\\de-DE\\TextInputHost.exe\""	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Links\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\csrss.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\dwm.exe\", \"C:\\Windows\\PolicyDefinitions\\de-DE\\TextInputHost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\RuntimeBroker.exe\""	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Links\\unsecapp.exe\""	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Links\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\csrss.exe\""	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Links\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\csrss.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\dwm.exe\""	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3112	4532	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	4532	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4116	4532	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	4532	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	4532	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	4532	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	4532	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3376	4532	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3820	4532	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	4532	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3768	4532	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	4532	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3468	4532	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3160	4532	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	4532	schtasks.exe	82

DCRat payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/3616-1-0x00000000009B0000-0x0000000000C1E000-memory.dmp	family_dcrat_v2
behavioral2/files/0x000a000000023bae-63.dat	family_dcrat_v2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe

Executes dropped EXE 1 IoCs

pid	Process
3076	dwm.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Admin\\Links\\unsecapp.exe\""	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Microsoft Office\\PackageManifests\\dwm.exe\""	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\RuntimeBroker.exe\""	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\RuntimeBroker.exe\""	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Admin\\Links\\unsecapp.exe\""	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\csrss.exe\""	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\csrss.exe\""	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Microsoft Office\\PackageManifests\\dwm.exe\""	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\PolicyDefinitions\\de-DE\\TextInputHost.exe\""	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\PolicyDefinitions\\de-DE\\TextInputHost.exe\""	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC615F3E54B3244FDCA6CBCED4A7FA8271.TMP	csc.exe
File created	\??\c:\Windows\System32\8zj1cq.exe	csc.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\csrss.exe	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\886983d96e3d3e	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\dwm.exe	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\6cb0b6c459d5d3	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RuntimeBroker.exe	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\9e8d7a4ca61bd9	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\PolicyDefinitions\de-DE\TextInputHost.exe	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
File created	C:\Windows\PolicyDefinitions\de-DE\22eafd247d37c3	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
744	PING.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
744	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1452	schtasks.exe
2944	schtasks.exe
4572	schtasks.exe
1200	schtasks.exe
3768	schtasks.exe
3160	schtasks.exe
3112	schtasks.exe
1604	schtasks.exe
3820	schtasks.exe
2392	schtasks.exe
3468	schtasks.exe
4116	schtasks.exe
3376	schtasks.exe
2508	schtasks.exe
3980	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
Token: SeDebugPrivilege	3076	dwm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3076	dwm.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3616 wrote to memory of 2988	3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe	86
PID 3616 wrote to memory of 2988	3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe	86
PID 2988 wrote to memory of 244	2988	csc.exe	88
PID 2988 wrote to memory of 244	2988	csc.exe	88
PID 3616 wrote to memory of 4768	3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe	101
PID 3616 wrote to memory of 4768	3616	c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe	101
PID 4768 wrote to memory of 1436	4768	cmd.exe	103
PID 4768 wrote to memory of 1436	4768	cmd.exe	103
PID 4768 wrote to memory of 744	4768	cmd.exe	104
PID 4768 wrote to memory of 744	4768	cmd.exe	104
PID 4768 wrote to memory of 3076	4768	cmd.exe	108
PID 4768 wrote to memory of 3076	4768	cmd.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe
"C:\Users\Admin\AppData\Local\Temp\c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3616
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\honazj1i\honazj1i.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES93A5.tmp" "c:\Windows\System32\CSC615F3E54B3244FDCA6CBCED4A7FA8271.TMP"
    3⤵
    PID:244
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cagrMTI3gD.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1436
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:744
- - C:\Program Files\Microsoft Office\PackageManifests\dwm.exe
    "C:\Program Files\Microsoft Office\PackageManifests\dwm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Links\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Admin\Links\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Links\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\PackageManifests\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\PackageManifests\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Windows\PolicyDefinitions\de-DE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\de-DE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Windows\PolicyDefinitions\de-DE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RuntimeBroker.exe

Filesize
2.4MB

MD5
b1a3e0cf075438056659b4fbaee9f80b

SHA1
73c9bd7cd9e48b7ae22b397f538933f8c49b4674

SHA256
c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b

SHA512
ba37ffb6a906736cfe490a7934b9b1481c9cfcd59044d5333bb0193cbf39ae8c0d22599a0d38bd0b124d0fbb17701f41ac46b361f1bcf9f810c33d673633461f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES93A5.tmp

Filesize
1KB

MD5
d6f297e815a4c99937420116b3820ad5

SHA1
61d1d6e276d914eef2beaa41f2d129f02bcdbc94

SHA256
c9b2b57eaacaae4a5532f7086776a7baf1a34104e16c84b22285c6619dc48c0c

SHA512
791e75728072a9f0e71d4e5726edf1226f4698a85d834e5f7879f44efe1972933787676d4a93a326a99f50674730b3d98ddd56fd1b773fc467e81e1ded8a7aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cagrMTI3gD.bat

Filesize
186B

MD5
1f7e493c149ae501f7c8b512c994f408

SHA1
bc7921de85dd7f1b44c91ab15eb74492348c2a1b

SHA256
58b1b58fcba54f291662bc61d59e42d4d43322af686414e8d65f10205eff4558

SHA512
8ebcab274b48d023a084597b83476a10eb2cdee18c62c2aff7bf4362b6053afe51869a1eab4785f5ccb95dfec8cd1ae362049f24394e9c12a7e404b2b07f9962

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\honazj1i\honazj1i.0.cs

Filesize
365B

MD5
aa72a7befa4bf7f59a83d2042d27199f

SHA1
8369a4326579094b425bd8dbdce129f768e55ba7

SHA256
a057ea0de601eba0caf4ec5b3be42bc007c7826cb9d407505d61d3c8aab1d6a3

SHA512
01585b35e60cac427b87a31be06a46f6ff207f0279f0ae6992839cf6b36fb378ac2b89dc1ca875a32fc4ceaa0f7b6fab3c5f4fefde59fb841f490a5b0f63d1de

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\honazj1i\honazj1i.cmdline

Filesize
235B

MD5
423deb19bfe325ac1bb9cd813b545a3d

SHA1
216e8329b7a7176d10b3492cc638d95d73ecdbfb

SHA256
c289b47d7bdd799cdf855c40942015404a915cc277cbf7e9e5741d6bc1493da3

SHA512
2ec9e2ca8a2b79ceee2b69c5c2ce458d962bc9291212fb8e02da9ed169e67547d5232d699a8aec0b192be644dbd4ddf613e70bdf4bc3bbcffaffad1a9be9eb34

Download Submit
\??\c:\Windows\System32\CSC615F3E54B3244FDCA6CBCED4A7FA8271.TMP

Filesize
1KB

MD5
d544bac668d308d2aba58ded2c13d82d

SHA1
e5dd50ef24d5c16629092f9290661a92387773b3

SHA256
84b05d56c45fd0382410fcd59e16aeef467ed0a455595dda88386dd5c87d7a02

SHA512
0826de2bc95d93dde2c540d2d768a0188481ee88f1da79f9c7d70d7ccd3c8715b8f1d62053f84d14f19e4d2b0a13e67084d970a158464e6223e340eb0733e1b0

Download Submit
memory/3616-26-0x00007FFAA2AA0000-0x00007FFAA3561000-memory.dmp

Filesize
10.8MB

Download
memory/3616-36-0x000000001B950000-0x000000001B95E000-memory.dmp

Filesize
56KB

Download
memory/3616-11-0x000000001B900000-0x000000001B950000-memory.dmp

Filesize
320KB

Download
memory/3616-13-0x0000000002C90000-0x0000000002CA0000-memory.dmp

Filesize
64KB

Download
memory/3616-14-0x00007FFAA2AA0000-0x00007FFAA3561000-memory.dmp

Filesize
10.8MB

Download
memory/3616-16-0x000000001B780000-0x000000001B798000-memory.dmp

Filesize
96KB

Download
memory/3616-18-0x0000000002CD0000-0x0000000002CE0000-memory.dmp

Filesize
64KB

Download
memory/3616-22-0x000000001B770000-0x000000001B77E000-memory.dmp

Filesize
56KB

Download
memory/3616-20-0x000000001B760000-0x000000001B770000-memory.dmp

Filesize
64KB

Download
memory/3616-23-0x00007FFAA2AA0000-0x00007FFAA3561000-memory.dmp

Filesize
10.8MB

Download
memory/3616-25-0x000000001B970000-0x000000001B982000-memory.dmp

Filesize
72KB

Download
memory/3616-28-0x000000001B8F0000-0x000000001B900000-memory.dmp

Filesize
64KB

Download
memory/3616-30-0x000000001B990000-0x000000001B9A6000-memory.dmp

Filesize
88KB

Download
memory/3616-32-0x000000001B9B0000-0x000000001B9C2000-memory.dmp

Filesize
72KB

Download
memory/3616-0-0x00007FFAA2AA3000-0x00007FFAA2AA5000-memory.dmp

Filesize
8KB

Download
memory/3616-33-0x00007FFAA2AA0000-0x00007FFAA3561000-memory.dmp

Filesize
10.8MB

Download
memory/3616-38-0x000000001B960000-0x000000001B970000-memory.dmp

Filesize
64KB

Download
memory/3616-10-0x000000001B740000-0x000000001B75C000-memory.dmp

Filesize
112KB

Download
memory/3616-39-0x00007FFAA2AA0000-0x00007FFAA3561000-memory.dmp

Filesize
10.8MB

Download
memory/3616-41-0x000000001B9D0000-0x000000001B9E0000-memory.dmp

Filesize
64KB

Download
memory/3616-34-0x000000001BF00000-0x000000001C428000-memory.dmp

Filesize
5.2MB

Download
memory/3616-42-0x00007FFAA2AA0000-0x00007FFAA3561000-memory.dmp

Filesize
10.8MB

Download
memory/3616-44-0x000000001BA40000-0x000000001BA9A000-memory.dmp

Filesize
360KB

Download
memory/3616-46-0x000000001B9E0000-0x000000001B9EE000-memory.dmp

Filesize
56KB

Download
memory/3616-48-0x000000001B9F0000-0x000000001BA00000-memory.dmp

Filesize
64KB

Download
memory/3616-50-0x000000001BA00000-0x000000001BA0E000-memory.dmp

Filesize
56KB

Download
memory/3616-52-0x000000001BAA0000-0x000000001BAB8000-memory.dmp

Filesize
96KB

Download
memory/3616-54-0x000000001BB10000-0x000000001BB5E000-memory.dmp

Filesize
312KB

Download
memory/3616-9-0x000000001B6F0000-0x000000001B70C000-memory.dmp

Filesize
112KB

Download
memory/3616-7-0x0000000002C80000-0x0000000002C8E000-memory.dmp

Filesize
56KB

Download
memory/3616-5-0x00007FFAA2AA0000-0x00007FFAA3561000-memory.dmp

Filesize
10.8MB

Download
memory/3616-4-0x0000000002CA0000-0x0000000002CC6000-memory.dmp

Filesize
152KB

Download
memory/3616-2-0x00007FFAA2AA0000-0x00007FFAA3561000-memory.dmp

Filesize
10.8MB

Download
memory/3616-82-0x00007FFAA2AA0000-0x00007FFAA3561000-memory.dmp

Filesize
10.8MB

Download
memory/3616-1-0x00000000009B0000-0x0000000000C1E000-memory.dmp

Filesize
2.4MB

Download