dcrat | 5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb

Analysis

max time kernel
117s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-12-2024 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
Size

1.8MB
MD5

8c6166bfe177a90e76cea637c0314647
SHA1

50cc236eddfdb6a1395475cd02756aa6a6a47ccc
SHA256

5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb
SHA512

e9e149df32570a8ee7ce8167ff19746362642b562bb11898117367bf4516626958612ecb04b7a13705306d6ef370dc4642066f0c8a39f99783060dbbdfbd91cc
SSDEEP

24576:GjlZB5j1w/GT8jQDv6fDEjvVbCOMn08Fv6vnzpzcTRHU+ZLZej32x2FQ4paPHzIc:St5jdxDy7EjvVbWXsvwZlCt6MaP

Score

10^/10

dcrat discovery infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\explorer.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\csrss.exe\", \"C:\\MSOCache\\All Users\\dwm.exe\""	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\explorer.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\csrss.exe\", \"C:\\MSOCache\\All Users\\dwm.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe\""	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\explorer.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\csrss.exe\", \"C:\\MSOCache\\All Users\\dwm.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe\""	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\explorer.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\csrss.exe\", \"C:\\MSOCache\\All Users\\dwm.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe\""	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\explorer.exe\""	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\explorer.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\csrss.exe\""	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	276	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2744	schtasks.exe	30

Executes dropped EXE 1 IoCs

pid	Process
868	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\explorer.exe\""	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Media Player\\Media Renderer\\csrss.exe\""	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe\""	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe\""	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe\""	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe\""	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\explorer.exe\""	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Media Player\\Media Renderer\\csrss.exe\""	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\dwm.exe\""	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\dwm.exe\""	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe\""	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe\""	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC96E58FAD5F4344D3A768281989ECD49B.TMP	csc.exe
File created	\??\c:\Windows\System32\byyuy-.exe	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\Accessories\a411a8e9a0349a	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\csrss.exe	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\886983d96e3d3e	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2692	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2692	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1960	schtasks.exe
1980	schtasks.exe
276	schtasks.exe
2736	schtasks.exe
2892	schtasks.exe
2036	schtasks.exe
2568	schtasks.exe
1932	schtasks.exe
2760	schtasks.exe
2656	schtasks.exe
3060	schtasks.exe
2604	schtasks.exe
2552	schtasks.exe
2784	schtasks.exe
2816	schtasks.exe
2044	schtasks.exe
1712	schtasks.exe
1108	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
Token: SeDebugPrivilege	868	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2836	2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe	34
PID 2684 wrote to memory of 2836	2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe	34
PID 2684 wrote to memory of 2836	2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe	34
PID 2836 wrote to memory of 2828	2836	csc.exe	36
PID 2836 wrote to memory of 2828	2836	csc.exe	36
PID 2836 wrote to memory of 2828	2836	csc.exe	36
PID 2684 wrote to memory of 2480	2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe	52
PID 2684 wrote to memory of 2480	2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe	52
PID 2684 wrote to memory of 2480	2684	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe	52
PID 2480 wrote to memory of 2588	2480	cmd.exe	55
PID 2480 wrote to memory of 2588	2480	cmd.exe	55
PID 2480 wrote to memory of 2588	2480	cmd.exe	55
PID 2480 wrote to memory of 2692	2480	cmd.exe	56
PID 2480 wrote to memory of 2692	2480	cmd.exe	56
PID 2480 wrote to memory of 2692	2480	cmd.exe	56
PID 2480 wrote to memory of 868	2480	cmd.exe	57
PID 2480 wrote to memory of 868	2480	cmd.exe	57
PID 2480 wrote to memory of 868	2480	cmd.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
"C:\Users\Admin\AppData\Local\Temp\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nkbdp1b0\nkbdp1b0.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD6B0.tmp" "c:\Windows\System32\CSC96E58FAD5F4344D3A768281989ECD49B.TMP"
    3⤵
    PID:2828
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yLn5Bpe36q.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2588
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2692
- - C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
    "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\explorer.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\Media Renderer\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Media Renderer\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\Media Renderer\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb5" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb5" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb5" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb5" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb5" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb5" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\explorer.exe

Filesize
1.8MB

MD5
8c6166bfe177a90e76cea637c0314647

SHA1
50cc236eddfdb6a1395475cd02756aa6a6a47ccc

SHA256
5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb

SHA512
e9e149df32570a8ee7ce8167ff19746362642b562bb11898117367bf4516626958612ecb04b7a13705306d6ef370dc4642066f0c8a39f99783060dbbdfbd91cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD6B0.tmp

Filesize
1KB

MD5
1cb73670a302e4264d9631666c66c51a

SHA1
ef83a44786d6e4152d48aa65825c674ce9afe904

SHA256
5c8482e8d785b779d6d69b1a058c12c5d67051b70a096a17cbf5c8f983b677d9

SHA512
ab0960bb2c94fa1cd7016daa56241bbb3036eccc865afc924690e3f2ae7b5aa48161b936cf6ccaed0e46d4f5af900672cb391c4bc42652d588b571afb59f3e1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yLn5Bpe36q.bat

Filesize
245B

MD5
945b668c3111669c93bf613b28469a59

SHA1
44576e9891d9fd3723ce2d2bfe6a7eca12ac417c

SHA256
6244bdb0631def6f074e087b757019ed8fa1d654107c235ce459990beed30c8e

SHA512
be4c4277841744a8601f29413a7bebb61ab7d5818da807d2917fd38fe5ffc0fec2a2b7e53c60e800371500f6fec19af8f7c0ae953a0c840c6a2f8852a8c8acbe

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nkbdp1b0\nkbdp1b0.0.cs

Filesize
393B

MD5
b006b9ce86114d94cd611a1a5fba78b1

SHA1
898d916a9f315eda906c8ceac7c2c968cb29fd3e

SHA256
6b36cf08181320e0c88ab475694c66ef79ca94842a6473f7ad991d9d7459e65a

SHA512
333ce833f883da732a6f8c695e6e98cf8203e24072e9ffaf63c99baeff076dcbe6d4bca3d81b5ec0b98ccb704e4d6b4347ac942465206db5fec4d6447f73dd96

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nkbdp1b0\nkbdp1b0.cmdline

Filesize
235B

MD5
32072bac7e9e4b777e18bbc3310298e7

SHA1
32516e318f19dfe872197e547c2d3b3094d5dadf

SHA256
515b67c46c59d9d2599cad4c4ceb753eb28d6817fb3b853d8f286db90e2ddf01

SHA512
4a3fa426143f6526fafdf0ce82a6782055fa4ae94b1f82593b06dbe5bb9d471760bd7b9dc85f510ca971e9b8c1eaea18e6086d6e6158c804adb98d4e7a4d95d4

Download Submit
\??\c:\Windows\System32\CSC96E58FAD5F4344D3A768281989ECD49B.TMP

Filesize
1KB

MD5
078586b266e519b5c113064d7a0bf45c

SHA1
a9395c0ef35add5c75591ebb94c85c1f33f408bf

SHA256
ccf292ff9f142b204ad4f4481a044ba8f9ab274305dcb604bf0b8ae91819ab1e

SHA512
5b8eb6aad62657309088c4668d633c2aa6324d4824ec32c3c5e133df0a5493a4342c980e077ba565f3aab29c58f95c8db7195415a1e554384405c1457730f959

Download Submit
memory/868-51-0x0000000000BF0000-0x0000000000DCA000-memory.dmp

Filesize
1.9MB

Download
memory/2684-16-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-7-0x0000000000420000-0x000000000042E000-memory.dmp

Filesize
56KB

Download
memory/2684-13-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-15-0x00000000004B0000-0x00000000004BC000-memory.dmp

Filesize
48KB

Download
memory/2684-10-0x0000000000E90000-0x0000000000EAC000-memory.dmp

Filesize
112KB

Download
memory/2684-0-0x000007FEF5B83000-0x000007FEF5B84000-memory.dmp

Filesize
4KB

Download
memory/2684-18-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-5-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-8-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-12-0x0000000000EB0000-0x0000000000EC8000-memory.dmp

Filesize
96KB

Download
memory/2684-29-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-35-0x000007FEF5B83000-0x000007FEF5B84000-memory.dmp

Filesize
4KB

Download
memory/2684-4-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-3-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-47-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-2-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-1-0x0000000000F20000-0x00000000010FA000-memory.dmp

Filesize
1.9MB

Download