dcrat | b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675

Analysis

max time kernel
138s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2024 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
Size

2.4MB
MD5

b22adfa78630bdb6a544c61d66a5fcef
SHA1

37cc4cf13bb13ecb380b24ea957da90f1efc4a92
SHA256

b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675
SHA512

8a6e1a374ca7f76c060fa07694a1c13caec49a44e51ed7922b7d5f428d77145078e97ddff16fe562dc3e28e4bf7b4bf52f3d4ba198fceba1c13e9d190014f658
SSDEEP

24576:GeJKuHmdcCw7sUL/4cIG5IuUegPImmW7ayqCwviBwyLBIShZgGaiCkX4GLP1L613:JJKFdaMcQLBxW8qiTNa

Score

10^/10

dcrat discovery infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\WinSAT\\DataStore\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Users\\Default\\My Documents\\System.exe\""	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\WinSAT\\DataStore\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Users\\Default\\My Documents\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\upfc.exe\""	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\WinSAT\\DataStore\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Users\\Default\\My Documents\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\upfc.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\upfc.exe\""	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\WinSAT\\DataStore\\dllhost.exe\""	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\WinSAT\\DataStore\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\""	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	984	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	984	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	984	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	984	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	984	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3468	984	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	984	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	984	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3940	984	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	984	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	984	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3720	984	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3492	984	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4312	984	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	384	984	schtasks.exe	82

DCRat payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2232-1-0x0000000000820000-0x0000000000A8E000-memory.dmp	family_dcrat_v2
behavioral2/files/0x0008000000023c0e-63.dat	family_dcrat_v2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe

Executes dropped EXE 1 IoCs

Processes:

upfc.exe

pid	Process
2000	upfc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Default\\My Documents\\System.exe\""	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\MSBuild\\upfc.exe\""	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\MSBuild\\upfc.exe\""	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Users\\Public\\Documents\\My Videos\\upfc.exe\""	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Users\\Public\\Documents\\My Videos\\upfc.exe\""	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\dllhost.exe\""	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Recovery\\WindowsRE\\upfc.exe\""	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Recovery\\WindowsRE\\upfc.exe\""	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Default\\My Documents\\System.exe\""	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\dllhost.exe\""	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	Process
File created	\??\c:\Windows\System32\CSC706BB7C77BF14DD29E866627696B5E7.TMP	csc.exe
File created	\??\c:\Windows\System32\8zj1cq.exe	csc.exe

Drops file in Program Files directory 2 IoCs

Processes:

b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\upfc.exe	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
File created	C:\Program Files (x86)\MSBuild\ea1d8f6d871115	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe

Drops file in Windows directory 3 IoCs

Processes:

b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe

description	ioc	Process
File created	C:\Windows\Performance\WinSAT\DataStore\5940a34987c991	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
File created	C:\Windows\Performance\WinSAT\DataStore\dllhost.exe	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\dllhost.exe	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXE

pid	Process
2912	PING.EXE

Modifies registry class 1 IoCs

Processes:

b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
2912	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
3468	schtasks.exe
4956	schtasks.exe
1756	schtasks.exe
964	schtasks.exe
3492	schtasks.exe
4544	schtasks.exe
2524	schtasks.exe
4312	schtasks.exe
2972	schtasks.exe
3940	schtasks.exe
1836	schtasks.exe
4584	schtasks.exe
1020	schtasks.exe
3720	schtasks.exe
384	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe

pid	Process
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

upfc.exe

pid	Process
2000	upfc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exeupfc.exe

description	pid	Process
Token: SeDebugPrivilege	2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
Token: SeDebugPrivilege	2000	upfc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

upfc.exe

pid	Process
2000	upfc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.execsc.execmd.exe

description	pid	Process	procid_target
PID 2232 wrote to memory of 3144	2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe	86
PID 2232 wrote to memory of 3144	2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe	86
PID 3144 wrote to memory of 2384	3144	csc.exe	88
PID 3144 wrote to memory of 2384	3144	csc.exe	88
PID 2232 wrote to memory of 4552	2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe	101
PID 2232 wrote to memory of 4552	2232	b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe	101
PID 4552 wrote to memory of 3300	4552	cmd.exe	103
PID 4552 wrote to memory of 3300	4552	cmd.exe	103
PID 4552 wrote to memory of 2912	4552	cmd.exe	104
PID 4552 wrote to memory of 2912	4552	cmd.exe	104
PID 4552 wrote to memory of 2000	4552	cmd.exe	109
PID 4552 wrote to memory of 2000	4552	cmd.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe
"C:\Users\Admin\AppData\Local\Temp\b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hnmcodwx\hnmcodwx.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3144
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF94.tmp" "c:\Windows\System32\CSC706BB7C77BF14DD29E866627696B5E7.TMP"
    3⤵
    PID:2384
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dPvAkilM3F.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3300
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2912
- - C:\Program Files (x86)\MSBuild\upfc.exe
    "C:\Program Files (x86)\MSBuild\upfc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Performance\WinSAT\DataStore\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Performance\WinSAT\DataStore\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Default\My Documents\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\My Documents\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Default\My Documents\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Videos\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Documents\My Videos\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESCF94.tmp

Filesize
1KB

MD5
1ad567a1b234f764bbb69527d8e045b6

SHA1
a0df20564405224d1a5451a28f780a1b069ad46e

SHA256
ec741e5ad37a5ac19b339ee58fad501663a7a9c3f2de1884a95bd12eb2b4efae

SHA512
6cf8e0f6dbcb9614507d0343b5f9504e73503bfe67166303bc787f38e32474f98384e13d618e389fd13c412683fbc390b6564c1a08778dd615c9dba37c07c26c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dPvAkilM3F.bat

Filesize
167B

MD5
e580ee13a59f8b52b854d8e4df50fcdb

SHA1
c278149d344703826acc22f741679872dc15df3f

SHA256
87503d345956fd695a230e28812ec5c8088696a458447026af922d539ff3dc26

SHA512
325c7693f4560e489def6ddd9d5c271897cd3fbbcc58d0a50fe9c6e376b8613e0b1f7cc00aac9fb8c583b1a6499c42dc459215a4abc72fc1d99c36d7e561613d

Download Submit
C:\Users\Public\Videos\upfc.exe

Filesize
2.4MB

MD5
b22adfa78630bdb6a544c61d66a5fcef

SHA1
37cc4cf13bb13ecb380b24ea957da90f1efc4a92

SHA256
b36b06473630c63123f3f9f178971c7ac4b07921065723a9ea73ab3556644675

SHA512
8a6e1a374ca7f76c060fa07694a1c13caec49a44e51ed7922b7d5f428d77145078e97ddff16fe562dc3e28e4bf7b4bf52f3d4ba198fceba1c13e9d190014f658

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hnmcodwx\hnmcodwx.0.cs

Filesize
383B

MD5
8c67709a4d055a0dd59970abb1f7241f

SHA1
c9262c8f1a3ed7043a1ed4385195d5f1d4c0a484

SHA256
6b2150e0e06428f815cffd07bc1a5850c937a61bff3f2a937707387a2d445797

SHA512
9e8b5970a3e46bcd1a61c19c484aa69865ac517a6cf24535b78ff997339de96e524b6d683f6c9d2b804c9c28ee55d121458022a937cf3f01585a784044430d70

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hnmcodwx\hnmcodwx.cmdline

Filesize
235B

MD5
6a9dc848fcaa44502003b9409f23ac95

SHA1
9833f30bc62e80678946d0b03e6829e54c2a50dd

SHA256
561f08310f6747c2d80c9dcaf688b2d77e63fda29e1d092aa2119b0b8c71a636

SHA512
6c327c2660962d589cc308dc5d4d351c7c98d2d9dd2956ec83f94543ae9bd1ee5fcb50876fc3e8cc7e0de6603875d47ff22ffa953f6fbada8190647dff6c87c4

Download Submit
\??\c:\Windows\System32\CSC706BB7C77BF14DD29E866627696B5E7.TMP

Filesize
1KB

MD5
d544bac668d308d2aba58ded2c13d82d

SHA1
e5dd50ef24d5c16629092f9290661a92387773b3

SHA256
84b05d56c45fd0382410fcd59e16aeef467ed0a455595dda88386dd5c87d7a02

SHA512
0826de2bc95d93dde2c540d2d768a0188481ee88f1da79f9c7d70d7ccd3c8715b8f1d62053f84d14f19e4d2b0a13e67084d970a158464e6223e340eb0733e1b0

Download Submit
memory/2232-29-0x00007FFB39E20000-0x00007FFB3A8E1000-memory.dmp

Filesize
10.8MB

Download
memory/2232-35-0x00007FFB39E20000-0x00007FFB3A8E1000-memory.dmp

Filesize
10.8MB

Download
memory/2232-12-0x000000001B720000-0x000000001B770000-memory.dmp

Filesize
320KB

Download
memory/2232-14-0x000000001B5F0000-0x000000001B600000-memory.dmp

Filesize
64KB

Download
memory/2232-11-0x000000001B6B0000-0x000000001B6CC000-memory.dmp

Filesize
112KB

Download
memory/2232-16-0x000000001B6F0000-0x000000001B708000-memory.dmp

Filesize
96KB

Download
memory/2232-18-0x000000001B6D0000-0x000000001B6E0000-memory.dmp

Filesize
64KB

Download
memory/2232-21-0x000000001B6E0000-0x000000001B6F0000-memory.dmp

Filesize
64KB

Download
memory/2232-19-0x00007FFB39E20000-0x00007FFB3A8E1000-memory.dmp

Filesize
10.8MB

Download
memory/2232-24-0x00007FFB39E20000-0x00007FFB3A8E1000-memory.dmp

Filesize
10.8MB

Download
memory/2232-23-0x000000001B710000-0x000000001B71E000-memory.dmp

Filesize
56KB

Download
memory/2232-26-0x000000001B7D0000-0x000000001B7E2000-memory.dmp

Filesize
72KB

Download
memory/2232-28-0x000000001B7B0000-0x000000001B7C0000-memory.dmp

Filesize
64KB

Download
memory/2232-31-0x000000001B810000-0x000000001B826000-memory.dmp

Filesize
88KB

Download
memory/2232-1-0x0000000000820000-0x0000000000A8E000-memory.dmp

Filesize
2.4MB

Download
memory/2232-32-0x00007FFB39E20000-0x00007FFB3A8E1000-memory.dmp

Filesize
10.8MB

Download
memory/2232-34-0x000000001B830000-0x000000001B842000-memory.dmp

Filesize
72KB

Download
memory/2232-10-0x000000001B660000-0x000000001B67C000-memory.dmp

Filesize
112KB

Download
memory/2232-38-0x000000001B7C0000-0x000000001B7CE000-memory.dmp

Filesize
56KB

Download
memory/2232-36-0x000000001BD80000-0x000000001C2A8000-memory.dmp

Filesize
5.2MB

Download
memory/2232-40-0x000000001B7F0000-0x000000001B800000-memory.dmp

Filesize
64KB

Download
memory/2232-42-0x000000001B800000-0x000000001B810000-memory.dmp

Filesize
64KB

Download
memory/2232-44-0x000000001B8B0000-0x000000001B90A000-memory.dmp

Filesize
360KB

Download
memory/2232-46-0x000000001B850000-0x000000001B85E000-memory.dmp

Filesize
56KB

Download
memory/2232-48-0x000000001B860000-0x000000001B870000-memory.dmp

Filesize
64KB

Download
memory/2232-50-0x000000001B870000-0x000000001B87E000-memory.dmp

Filesize
56KB

Download
memory/2232-52-0x000000001B910000-0x000000001B928000-memory.dmp

Filesize
96KB

Download
memory/2232-54-0x000000001B980000-0x000000001B9CE000-memory.dmp

Filesize
312KB

Download
memory/2232-6-0x00007FFB39E20000-0x00007FFB3A8E1000-memory.dmp

Filesize
10.8MB

Download
memory/2232-8-0x000000001B5E0000-0x000000001B5EE000-memory.dmp

Filesize
56KB

Download
memory/2232-5-0x00007FFB39E20000-0x00007FFB3A8E1000-memory.dmp

Filesize
10.8MB

Download
memory/2232-4-0x000000001B610000-0x000000001B636000-memory.dmp

Filesize
152KB

Download
memory/2232-2-0x00007FFB39E20000-0x00007FFB3A8E1000-memory.dmp

Filesize
10.8MB

Download
memory/2232-82-0x00007FFB39E20000-0x00007FFB3A8E1000-memory.dmp

Filesize
10.8MB

Download
memory/2232-0-0x00007FFB39E23000-0x00007FFB39E25000-memory.dmp

Filesize
8KB

Download