dcrat | f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec

Analysis

max time kernel
117s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-12-2024 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68ef473852d3aefd8e5e4f2e00b3dfaa.exe
Size

1.8MB
MD5

68ef473852d3aefd8e5e4f2e00b3dfaa
SHA1

3ba2594ec459d1c9152558ebdd9611427347a73e
SHA256

f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec
SHA512

8602717380a4ad4ca7cbcdbb2373e63ff8578d58e6324d43530b134c6d7005469ff89c45bad773da978d4263a56c51efd331b09790f5708a563f26a513cad3ff
SSDEEP

49152:x4LJMXaJ0ypWp8GkSVPa7aQ8b0U51h3r:x4LJWeK3kE9QY53r

Score

10^/10

dcrat discovery execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\explorer.exe\""	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\dllhost.exe\""	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\dllhost.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\kab\\LC_MESSAGES\\wininit.exe\""	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\dllhost.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\kab\\LC_MESSAGES\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\winlogon.exe\""	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\dllhost.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\kab\\LC_MESSAGES\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\winlogon.exe\", \"C:\\Users\\Admin\\Cookies\\smss.exe\""	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\dllhost.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\kab\\LC_MESSAGES\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\winlogon.exe\", \"C:\\Users\\Admin\\Cookies\\smss.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\68ef473852d3aefd8e5e4f2e00b3dfaa.exe\""	68ef473852d3aefd8e5e4f2e00b3dfaa.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	2576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	2576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	2576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	2576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2576	schtasks.exe	28

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
928	powershell.exe
236	powershell.exe
2124	powershell.exe
1584	powershell.exe
396	powershell.exe
1908	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1896	wininit.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Admin\\Cookies\\smss.exe\""	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\68ef473852d3aefd8e5e4f2e00b3dfaa = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\68ef473852d3aefd8e5e4f2e00b3dfaa.exe\""	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\explorer.exe\""	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\explorer.exe\""	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\dllhost.exe\""	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\dllhost.exe\""	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\VideoLAN\\VLC\\locale\\kab\\LC_MESSAGES\\wininit.exe\""	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\VideoLAN\\VLC\\locale\\kab\\LC_MESSAGES\\wininit.exe\""	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\winlogon.exe\""	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\winlogon.exe\""	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Admin\\Cookies\\smss.exe\""	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\68ef473852d3aefd8e5e4f2e00b3dfaa = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\68ef473852d3aefd8e5e4f2e00b3dfaa.exe\""	68ef473852d3aefd8e5e4f2e00b3dfaa.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\gxbog2.exe	csc.exe
File created	\??\c:\Windows\System32\CSCE32B38C62426439C966B32AD2ABE691B.TMP	csc.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\wininit.exe	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\56085415360792	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\5940a34987c991	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\winlogon.exe	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\cc11b995f2a76d	68ef473852d3aefd8e5e4f2e00b3dfaa.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1544	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1544	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2624	schtasks.exe
2460	schtasks.exe
1868	schtasks.exe
600	schtasks.exe
2960	schtasks.exe
604	schtasks.exe
2340	schtasks.exe
1912	schtasks.exe
1780	schtasks.exe
1712	schtasks.exe
2484	schtasks.exe
668	schtasks.exe
2956	schtasks.exe
2216	schtasks.exe
1548	schtasks.exe
1448	schtasks.exe
2760	schtasks.exe
2812	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
1584	powershell.exe
1908	powershell.exe
236	powershell.exe
2124	powershell.exe
928	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	236	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	928	powershell.exe
Token: SeDebugPrivilege	396	powershell.exe
Token: SeDebugPrivilege	1896	wininit.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2500	2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe	32
PID 2080 wrote to memory of 2500	2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe	32
PID 2080 wrote to memory of 2500	2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe	32
PID 2500 wrote to memory of 2936	2500	csc.exe	34
PID 2500 wrote to memory of 2936	2500	csc.exe	34
PID 2500 wrote to memory of 2936	2500	csc.exe	34
PID 2080 wrote to memory of 1908	2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe	50
PID 2080 wrote to memory of 1908	2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe	50
PID 2080 wrote to memory of 1908	2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe	50
PID 2080 wrote to memory of 396	2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe	51
PID 2080 wrote to memory of 396	2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe	51
PID 2080 wrote to memory of 396	2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe	51
PID 2080 wrote to memory of 1584	2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe	52
PID 2080 wrote to memory of 1584	2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe	52
PID 2080 wrote to memory of 1584	2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe	52
PID 2080 wrote to memory of 2124	2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe	53
PID 2080 wrote to memory of 2124	2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe	53
PID 2080 wrote to memory of 2124	2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe	53
PID 2080 wrote to memory of 236	2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe	54
PID 2080 wrote to memory of 236	2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe	54
PID 2080 wrote to memory of 236	2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe	54
PID 2080 wrote to memory of 928	2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe	55
PID 2080 wrote to memory of 928	2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe	55
PID 2080 wrote to memory of 928	2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe	55
PID 2080 wrote to memory of 468	2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe	62
PID 2080 wrote to memory of 468	2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe	62
PID 2080 wrote to memory of 468	2080	68ef473852d3aefd8e5e4f2e00b3dfaa.exe	62
PID 468 wrote to memory of 2880	468	cmd.exe	64
PID 468 wrote to memory of 2880	468	cmd.exe	64
PID 468 wrote to memory of 2880	468	cmd.exe	64
PID 468 wrote to memory of 1544	468	cmd.exe	65
PID 468 wrote to memory of 1544	468	cmd.exe	65
PID 468 wrote to memory of 1544	468	cmd.exe	65
PID 468 wrote to memory of 1896	468	cmd.exe	66
PID 468 wrote to memory of 1896	468	cmd.exe	66
PID 468 wrote to memory of 1896	468	cmd.exe	66

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\68ef473852d3aefd8e5e4f2e00b3dfaa.exe
"C:\Users\Admin\AppData\Local\Temp\68ef473852d3aefd8e5e4f2e00b3dfaa.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sxlqhn3y\sxlqhn3y.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F87.tmp" "c:\Windows\System32\CSCE32B38C62426439C966B32AD2ABE691B.TMP"
    3⤵
    PID:2936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\fr-FR\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\68ef473852d3aefd8e5e4f2e00b3dfaa.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:928
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aoVweYocMJ.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:468
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2880
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1544
- - C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\wininit.exe
    "C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\wininit.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Cookies\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Cookies\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "68ef473852d3aefd8e5e4f2e00b3dfaa6" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\68ef473852d3aefd8e5e4f2e00b3dfaa.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "68ef473852d3aefd8e5e4f2e00b3dfaa" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\68ef473852d3aefd8e5e4f2e00b3dfaa.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "68ef473852d3aefd8e5e4f2e00b3dfaa6" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\68ef473852d3aefd8e5e4f2e00b3dfaa.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\explorer.exe

Filesize
1.8MB

MD5
68ef473852d3aefd8e5e4f2e00b3dfaa

SHA1
3ba2594ec459d1c9152558ebdd9611427347a73e

SHA256
f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec

SHA512
8602717380a4ad4ca7cbcdbb2373e63ff8578d58e6324d43530b134c6d7005469ff89c45bad773da978d4263a56c51efd331b09790f5708a563f26a513cad3ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4F87.tmp

Filesize
1KB

MD5
f37cb4d3ccfdeb67a2a2225d71edb4f3

SHA1
e89afecc54b63ae8df567da65ae437a4b20fdf8c

SHA256
a1b6c86d32ba63db3153d7ed5ea41a265e7ba972417400b0e5e420f805220c0f

SHA512
496d4a0a7a4645f83ab92fd3c3aedc4ccf063e01e0d2a93d352faeefb33c21eaf4c7972189b9788926ed2e006617891e4dbc4aba90b96cef1967a1c739062b96

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoVweYocMJ.bat

Filesize
192B

MD5
6f2edaa8aefc887f890c2dad9450011c

SHA1
442163429433429ddd4a79a390ae55cfeb5df0cc

SHA256
ab8b1adabea3ce09796f9b737bd5e8b0fde851942e1040abef1ece0f03e5502c

SHA512
5afb54dff4be3182c90b57c6d3ab03372eab43f4c8e8114893d8e1ccc2f3b630ab05a3b8a972dd6478739246e96dce70deddf480914032c0170c94c0e4ad02fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
879a90f3b4e5ad5e89a2eb6273b20d22

SHA1
87726d36a9e26694623380e3ddb47ff7c357e707

SHA256
613c18a1bcdcd10a92145fd68192bdec1a034d91675ae2dc9bc8a39e0b8717b7

SHA512
661cee6f0596c9b4f43bcea38f33643eb2b000cd2b13650899f6a7f2012bc700a791a89ec8e2cfea0501cecedebee9514eea53c219f601c11bb68ea4f338a249

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sxlqhn3y\sxlqhn3y.0.cs

Filesize
407B

MD5
759967bbaed656441e500409febb8733

SHA1
6d58ce873e3bbccf6ab937c16a994c6f959afd63

SHA256
8dbe1ea0a12d2f30afa014efeb4921af830a74a79ca5ed0cd37e3cb671183860

SHA512
cd81893948abb975ef6f7fcac701d6402c7a3b49da52f60f697455f082e84c5d140b2b585420614457605b5603bd75f753db08835eebbe24fdf13c4029c70a67

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sxlqhn3y\sxlqhn3y.cmdline

Filesize
235B

MD5
6cba37135c7469de0548b0b9911b52a4

SHA1
5dbb2fc85add7d2956c7a285de47c8a742a55b82

SHA256
3a828fea425934cce3da51fb7b7c6ab5a7f2bc792e97e8458c51dbd9e1134af5

SHA512
2c1f334579a978d4c283003c4326470d6d99b0b713dd9a969a2bf12ab5c1c3783f8a5a12470917f23088e7fb2ea42e8f5a4e93b3b4d79e12334bfc167c277fad

Download Submit
\??\c:\Windows\System32\CSCE32B38C62426439C966B32AD2ABE691B.TMP

Filesize
1KB

MD5
dbb2cd021b80875d9c777c705ef845c8

SHA1
3ed0cde3b4f4d8267c3cddd37dd4ede100b5ecce

SHA256
a4d8c8c391bc1975510bdea24653db0f578d998dead4ce7f8a85eb8fbb3ec829

SHA512
a8076e4d1b1641e189d2066050809ce0cce557e23c110fba77c2cfb7448b5915252b2e2f4d3443f708941277b947b951cfba6c191980a09b8c7710589c766c8e

Download Submit
memory/1584-49-0x000000001B800000-0x000000001BAE2000-memory.dmp

Filesize
2.9MB

Download
memory/1584-52-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/1896-80-0x0000000000050000-0x000000000022C000-memory.dmp

Filesize
1.9MB

Download
memory/2080-7-0x000007FEF6360000-0x000007FEF6D4C000-memory.dmp

Filesize
9.9MB

Download
memory/2080-15-0x000007FEF6360000-0x000007FEF6D4C000-memory.dmp

Filesize
9.9MB

Download
memory/2080-9-0x0000000000BE0000-0x0000000000BFC000-memory.dmp

Filesize
112KB

Download
memory/2080-18-0x000007FEF6360000-0x000007FEF6D4C000-memory.dmp

Filesize
9.9MB

Download
memory/2080-12-0x0000000000C00000-0x0000000000C18000-memory.dmp

Filesize
96KB

Download
memory/2080-14-0x0000000000BC0000-0x0000000000BCC000-memory.dmp

Filesize
48KB

Download
memory/2080-16-0x000007FEF6360000-0x000007FEF6D4C000-memory.dmp

Filesize
9.9MB

Download
memory/2080-10-0x000007FEF6360000-0x000007FEF6D4C000-memory.dmp

Filesize
9.9MB

Download
memory/2080-0-0x000007FEF6363000-0x000007FEF6364000-memory.dmp

Filesize
4KB

Download
memory/2080-6-0x0000000000BB0000-0x0000000000BBE000-memory.dmp

Filesize
56KB

Download
memory/2080-4-0x000007FEF6360000-0x000007FEF6D4C000-memory.dmp

Filesize
9.9MB

Download
memory/2080-3-0x000007FEF6360000-0x000007FEF6D4C000-memory.dmp

Filesize
9.9MB

Download
memory/2080-50-0x000007FEF6360000-0x000007FEF6D4C000-memory.dmp

Filesize
9.9MB

Download
memory/2080-2-0x000007FEF6360000-0x000007FEF6D4C000-memory.dmp

Filesize
9.9MB

Download
memory/2080-1-0x0000000000F80000-0x000000000115C000-memory.dmp

Filesize
1.9MB

Download