dcrat | 5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-12-2024 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
Size

1.8MB
MD5

8c6166bfe177a90e76cea637c0314647
SHA1

50cc236eddfdb6a1395475cd02756aa6a6a47ccc
SHA256

5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb
SHA512

e9e149df32570a8ee7ce8167ff19746362642b562bb11898117367bf4516626958612ecb04b7a13705306d6ef370dc4642066f0c8a39f99783060dbbdfbd91cc
SSDEEP

24576:GjlZB5j1w/GT8jQDv6fDEjvVbCOMn08Fv6vnzpzcTRHU+ZLZej32x2FQ4paPHzIc:St5jdxDy7EjvVbWXsvwZlCt6MaP

Score

10^/10

dcrat infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Windows\\Registration\\CRMLog\\dwm.exe\", \"C:\\Windows\\Logs\\SettingSync\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\""	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Windows\\Registration\\CRMLog\\dwm.exe\", \"C:\\Windows\\Logs\\SettingSync\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\""	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Windows\\Registration\\CRMLog\\dwm.exe\", \"C:\\Windows\\Logs\\SettingSync\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe\""	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\spoolsv.exe\""	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Windows\\Registration\\CRMLog\\dwm.exe\""	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Windows\\Registration\\CRMLog\\dwm.exe\", \"C:\\Windows\\Logs\\SettingSync\\Idle.exe\""	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3100	4184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	4184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4268	4184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3872	4184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	4184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	4184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	4184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	4184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3320	4184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3584	4184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	4184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4100	4184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	4184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	4184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4156	4184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	4184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	4184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	4184	schtasks.exe	83

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Recovery\\WindowsRE\\sihost.exe\""	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Public\\fontdrvhost.exe\""	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\WindowsRE\\spoolsv.exe\""	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Registration\\CRMLog\\dwm.exe\""	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Registration\\CRMLog\\dwm.exe\""	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Logs\\SettingSync\\Idle.exe\""	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe\""	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe\""	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\WindowsRE\\spoolsv.exe\""	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Logs\\SettingSync\\Idle.exe\""	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Recovery\\WindowsRE\\sihost.exe\""	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Public\\fontdrvhost.exe\""	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC1052B2C8DEFE456281F4F257BAD6D6A.TMP	csc.exe
File created	\??\c:\Windows\System32\hnaorh.exe	csc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Registration\CRMLog\6cb0b6c459d5d3	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
File created	C:\Windows\Logs\SettingSync\Idle.exe	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
File created	C:\Windows\Logs\SettingSync\6ccacd8608530f	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
File created	C:\Windows\Registration\CRMLog\dwm.exe	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3320	schtasks.exe
4404	schtasks.exe
3872	schtasks.exe
2408	schtasks.exe
5108	schtasks.exe
1952	schtasks.exe
2432	schtasks.exe
2776	schtasks.exe
4268	schtasks.exe
4100	schtasks.exe
220	schtasks.exe
1680	schtasks.exe
3100	schtasks.exe
1480	schtasks.exe
3584	schtasks.exe
4536	schtasks.exe
4156	schtasks.exe
2352	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4804	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
4804	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4804	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
Token: SeDebugPrivilege	4804	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 2016	4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe	87
PID 4396 wrote to memory of 2016	4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe	87
PID 2016 wrote to memory of 4788	2016	csc.exe	89
PID 2016 wrote to memory of 4788	2016	csc.exe	89
PID 4396 wrote to memory of 3716	4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe	105
PID 4396 wrote to memory of 3716	4396	5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe	105
PID 3716 wrote to memory of 1364	3716	cmd.exe	107
PID 3716 wrote to memory of 1364	3716	cmd.exe	107
PID 3716 wrote to memory of 3604	3716	cmd.exe	108
PID 3716 wrote to memory of 3604	3716	cmd.exe	108
PID 3716 wrote to memory of 4804	3716	cmd.exe	109
PID 3716 wrote to memory of 4804	3716	cmd.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
"C:\Users\Admin\AppData\Local\Temp\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lp4poitb\lp4poitb.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9848.tmp" "c:\Windows\System32\CSC1052B2C8DEFE456281F4F257BAD6D6A.TMP"
    3⤵
    PID:4788
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CNkGNmuXlA.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3716
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1364
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3604
- - C:\Users\Admin\AppData\Local\Temp\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe
    "C:\Users\Admin\AppData\Local\Temp\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\Registration\CRMLog\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\Registration\CRMLog\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\Logs\SettingSync\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Logs\SettingSync\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\Logs\SettingSync\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Users\Public\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\Public\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb5" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb5" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\spoolsv.exe

Filesize
1.8MB

MD5
8c6166bfe177a90e76cea637c0314647

SHA1
50cc236eddfdb6a1395475cd02756aa6a6a47ccc

SHA256
5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb

SHA512
e9e149df32570a8ee7ce8167ff19746362642b562bb11898117367bf4516626958612ecb04b7a13705306d6ef370dc4642066f0c8a39f99783060dbbdfbd91cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb.exe.log

Filesize
1KB

MD5
af6acd95d59de87c04642509c30e81c1

SHA1
f9549ae93fdb0a5861a79a08f60aa81c4b32377b

SHA256
7521ee2d065a78efcab55a194fbd78492f84b70595f139263875f4ea92b194d6

SHA512
93ab99bcf588fde553de3240e0d2b0cbd4e4bc5ef5e99d53f45a267d7ff30103a80b5a7aa1c52d6eff1e070af0ec82d2c0b8aafb7099742aa16810edc1815c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CNkGNmuXlA.bat

Filesize
278B

MD5
74e490c7e642f7938551f239cb6218e4

SHA1
87d092858250fc7e7d1ce719cb6b501ea582b858

SHA256
c0da73155843f1253a869093a431deea46b6c15fa8b299f0dd20f6de386df429

SHA512
decbb20182c5ba7484ae5b55c8389cad27467d7a3496ae29fd2746523799532b0175bf50189374e72541002501dae5c89d6915f4d071fb5ff7fc7ba53d59d0ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9848.tmp

Filesize
1KB

MD5
84303e313ae3c733f9e6e9b7249aa23a

SHA1
3356de946764dc3ffcaac464f50af08931512892

SHA256
8cfe176fdaaf02234604cfa0c5dea5fa1f4f004ea43a20951463e217c9f9db94

SHA512
cd16525374e76aef831bbe8bcd2af85eb0a982b531f94b477b50c551162ebbca525bdae1d6e7e6756979f8b3728f74744b5e78f4ebdd86662976c5dd981799d4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lp4poitb\lp4poitb.0.cs

Filesize
365B

MD5
a35f0960522ea7fd09cfba13db95b2fb

SHA1
97db0e339987fa420a70d3c966b9221eedb96432

SHA256
43e7040fac0e53e0f581bdb5c94705e5087d7e591bcd5a45765ab55b3c694293

SHA512
a74fd006463bc06a898bf018ce358da5726483aa7c934ae9e2eb73377700c5462013d89587d7ab70369f37425b62fee2541f6e5c0d43e729093f8127dbceb4cb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lp4poitb\lp4poitb.cmdline

Filesize
235B

MD5
164c70e2008f1737a9228444fbeaa995

SHA1
ce36c99de779b40fe67f6abb424bd97ea7ea381b

SHA256
84c80ac1b3e2217918899015fb1e93efe7d391d8bbd9ae6069ad4f92a16ddb82

SHA512
c1fb557fbaa8befa58f79821a29d751e149a7b5397bc11c69e38377b6327839dfd54164e4421cb1429ce10acf3e459e4945cc3a6cf308e3edec8c9044b28f5d9

Download Submit
\??\c:\Windows\System32\CSC1052B2C8DEFE456281F4F257BAD6D6A.TMP

Filesize
1KB

MD5
65d5babddb4bd68783c40f9e3678613f

SHA1
71e76abb44dbea735b9faaccb8c0fad345b514f4

SHA256
d61a59849cacd91b8039a8e41a5b92a7f93e2d46c90791b9ba6b5f856008cd8f

SHA512
21223e9a32df265bb75093d1ebaa879880a947d25ac764f3452b9104893b05f2c8fe4150cb2465681df7a0554dcefdb7f623aaf54772ade878270f453ebc1bcf

Download Submit
memory/4396-14-0x0000000001240000-0x000000000124C000-memory.dmp

Filesize
48KB

Download
memory/4396-28-0x00007FF8A8570000-0x00007FF8A9031000-memory.dmp

Filesize
10.8MB

Download
memory/4396-12-0x0000000001770000-0x0000000001788000-memory.dmp

Filesize
96KB

Download
memory/4396-0-0x00007FF8A8573000-0x00007FF8A8575000-memory.dmp

Filesize
8KB

Download
memory/4396-15-0x00007FF8A8570000-0x00007FF8A9031000-memory.dmp

Filesize
10.8MB

Download
memory/4396-9-0x0000000001740000-0x000000000175C000-memory.dmp

Filesize
112KB

Download
memory/4396-24-0x00007FF8A8570000-0x00007FF8A9031000-memory.dmp

Filesize
10.8MB

Download
memory/4396-10-0x0000000001C80000-0x0000000001CD0000-memory.dmp

Filesize
320KB

Download
memory/4396-29-0x00007FF8A8570000-0x00007FF8A9031000-memory.dmp

Filesize
10.8MB

Download
memory/4396-7-0x00007FF8A8570000-0x00007FF8A9031000-memory.dmp

Filesize
10.8MB

Download
memory/4396-6-0x0000000001230000-0x000000000123E000-memory.dmp

Filesize
56KB

Download
memory/4396-4-0x00007FF8A8570000-0x00007FF8A9031000-memory.dmp

Filesize
10.8MB

Download
memory/4396-3-0x00007FF8A8570000-0x00007FF8A9031000-memory.dmp

Filesize
10.8MB

Download
memory/4396-47-0x00007FF8A8570000-0x00007FF8A9031000-memory.dmp

Filesize
10.8MB

Download
memory/4396-2-0x00007FF8A8570000-0x00007FF8A9031000-memory.dmp

Filesize
10.8MB

Download
memory/4396-1-0x0000000000840000-0x0000000000A1A000-memory.dmp

Filesize
1.9MB

Download