dcrat | f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec

Analysis

max time kernel
117s
max time network
150s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
10-12-2024 03:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
Size

1.8MB
MD5

68ef473852d3aefd8e5e4f2e00b3dfaa
SHA1

3ba2594ec459d1c9152558ebdd9611427347a73e
SHA256

f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec
SHA512

8602717380a4ad4ca7cbcdbb2373e63ff8578d58e6324d43530b134c6d7005469ff89c45bad773da978d4263a56c51efd331b09790f5708a563f26a513cad3ff
SSDEEP

49152:x4LJMXaJ0ypWp8GkSVPa7aQ8b0U51h3r:x4LJWeK3kE9QY53r

Score

10^/10

dcrat execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\audiodg.exe\""	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\audiodg.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\System.exe\""	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\audiodg.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\System.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\""	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\audiodg.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\System.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\System.exe\""	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\audiodg.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\System.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\wininit.exe\""	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\audiodg.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\System.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe\""	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2892	schtasks.exe	30

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1620	powershell.exe
2688	powershell.exe
2636	powershell.exe
2940	powershell.exe
2924	powershell.exe
2960	powershell.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\audiodg.exe\""	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\audiodg.exe\""	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\System.exe\""	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\""	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\""	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\System.exe\""	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\System.exe\""	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\System.exe\""	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\wininit.exe\""	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\wininit.exe\""	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe\""	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe\""	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCDC44A5A0578E4F808077C2B13BC49DBC.TMP	csc.exe
File created	\??\c:\Windows\System32\_f1q_j.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\c5b4cb5e9653cc	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Performance\WinSAT\DataStore\System.exe	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
File created	C:\Windows\Performance\WinSAT\DataStore\27d1bcfc3c54e0	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2748	schtasks.exe
2848	schtasks.exe
1656	schtasks.exe
1292	schtasks.exe
1752	schtasks.exe
1812	schtasks.exe
2492	schtasks.exe
764	schtasks.exe
2668	schtasks.exe
1088	schtasks.exe
348	schtasks.exe
2904	schtasks.exe
796	schtasks.exe
1660	schtasks.exe
2464	schtasks.exe
1976	schtasks.exe
2852	schtasks.exe
2816	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2960	powershell.exe
2636	powershell.exe
2924	powershell.exe
2940	powershell.exe
1620	powershell.exe
2688	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	788	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2996	2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	34
PID 2096 wrote to memory of 2996	2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	34
PID 2096 wrote to memory of 2996	2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	34
PID 2996 wrote to memory of 2208	2996	csc.exe	36
PID 2996 wrote to memory of 2208	2996	csc.exe	36
PID 2996 wrote to memory of 2208	2996	csc.exe	36
PID 2096 wrote to memory of 2960	2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	52
PID 2096 wrote to memory of 2960	2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	52
PID 2096 wrote to memory of 2960	2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	52
PID 2096 wrote to memory of 2924	2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	53
PID 2096 wrote to memory of 2924	2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	53
PID 2096 wrote to memory of 2924	2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	53
PID 2096 wrote to memory of 2940	2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	54
PID 2096 wrote to memory of 2940	2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	54
PID 2096 wrote to memory of 2940	2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	54
PID 2096 wrote to memory of 2636	2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	55
PID 2096 wrote to memory of 2636	2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	55
PID 2096 wrote to memory of 2636	2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	55
PID 2096 wrote to memory of 2688	2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	57
PID 2096 wrote to memory of 2688	2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	57
PID 2096 wrote to memory of 2688	2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	57
PID 2096 wrote to memory of 1620	2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	59
PID 2096 wrote to memory of 1620	2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	59
PID 2096 wrote to memory of 1620	2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	59
PID 2096 wrote to memory of 1628	2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	64
PID 2096 wrote to memory of 1628	2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	64
PID 2096 wrote to memory of 1628	2096	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	64
PID 1628 wrote to memory of 1748	1628	cmd.exe	66
PID 1628 wrote to memory of 1748	1628	cmd.exe	66
PID 1628 wrote to memory of 1748	1628	cmd.exe	66
PID 1628 wrote to memory of 880	1628	cmd.exe	67
PID 1628 wrote to memory of 880	1628	cmd.exe	67
PID 1628 wrote to memory of 880	1628	cmd.exe	67
PID 1628 wrote to memory of 788	1628	cmd.exe	69
PID 1628 wrote to memory of 788	1628	cmd.exe	69
PID 1628 wrote to memory of 788	1628	cmd.exe	69

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
"C:\Users\Admin\AppData\Local\Temp\f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\exld5xk0\exld5xk0.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD95.tmp" "c:\Windows\System32\CSCDC44A5A0578E4F808077C2B13BC49DBC.TMP"
    3⤵
    PID:2208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\DataStore\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1620
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8TUkMQOrjC.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1748
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:880
- - C:\Users\Admin\AppData\Local\Temp\f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
    "C:\Users\Admin\AppData\Local\Temp\f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\Performance\WinSAT\DataStore\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\Performance\WinSAT\DataStore\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ecf" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ecf" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\audiodg.exe

Filesize
1.8MB

MD5
68ef473852d3aefd8e5e4f2e00b3dfaa

SHA1
3ba2594ec459d1c9152558ebdd9611427347a73e

SHA256
f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec

SHA512
8602717380a4ad4ca7cbcdbb2373e63ff8578d58e6324d43530b134c6d7005469ff89c45bad773da978d4263a56c51efd331b09790f5708a563f26a513cad3ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\8TUkMQOrjC.bat

Filesize
278B

MD5
c52295d3da55204fd181456e2983985f

SHA1
4d58d246e5d5faef73ef8fa946503c8ef6ee7ca0

SHA256
1ab238e42473c00a07fa6082a95fd3b747a05396b5ff512f34470462f8263bed

SHA512
a481d8f57cfe76e50783d6084a506800c7c5f6b591bb61c1c11f3fa62e49ffe48f08f54b519f6c100e3f5f2e9549c2244cb859c50c238ec2daca9cac02be546d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBD95.tmp

Filesize
1KB

MD5
a0a58f4a89653d9f31a56f08dd0cd24f

SHA1
82405d4d6b7bd06a951333c1eeea6418046a31c7

SHA256
0d72aaf902013bad1489d3bdf7a94796187b20c7353c5fe6c9f8c8dd778c07a3

SHA512
8dc2938939573d87d60d15be8805aea0f815fef3242e495987d696532df96d7373b9a14aeb462a426e2ce7c39bed720fc5fbb092a6c50146445045e51f9afb9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b3fffea7d16fb847297fb90e807f148d

SHA1
020c64ec1513ea102431eef4e5387ceea85d0df8

SHA256
b12f6157499d5232944946fd65e64dd85992c246b51cacc7290e8a8082f9ce67

SHA512
f478498917752754c26038d6b83ca53576d4f7091611667d138f280e5123c1986018bbf94b521fed50b3f70ece1378665367d46c0123c78fc5ab8741e67ed340

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\exld5xk0\exld5xk0.0.cs

Filesize
432B

MD5
df28da3b5ab17a378db8a2b2b2322119

SHA1
6fac5170e536b76b0d9e854e96f33e8bf296022f

SHA256
8fc3b4a2676c77b4bd227d94a7cdfebbf307685a0292d2366189e15b838df416

SHA512
99be87e6269d0bd08d970bbf648c8782b4fe537bcfe4dce85c47e7c9e50451da9a3710f735606e1a3328cc5448b087e6856a33e40904f3c7a685a1b46d711e9e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\exld5xk0\exld5xk0.cmdline

Filesize
235B

MD5
d9c738cb8532ebcd9ea61402499fd3cd

SHA1
270f9597380dd20e30cefcf11eecd11ce2cee730

SHA256
92d095bb4b4c5750406a374475aa621d22f467b9516783625b734cc001efd87c

SHA512
f69bed20d2fa6d9ac129c2e2a791a59d6317fce75b1a887f0ab55f80f5abc9921559503912e8139e0460331445a33277298c37e3c573045c15c61606c43f5761

Download Submit
\??\c:\Windows\System32\CSCDC44A5A0578E4F808077C2B13BC49DBC.TMP

Filesize
1KB

MD5
fccbcfaf29fdccaabada579f7aaf3ae7

SHA1
f9b179b6aab6b96908d89b35aab3f503478a956d

SHA256
e70bc8ad14a70d490fe92ed86e79c40fc133a64428a2781e14514b16d83a9b02

SHA512
ac047b4ba060e72e224c1afdebbdafecbfd705a67cb8f0cd5c82bf7980c2baa23bdb5bf5d821836bc0c426069a61d8e112b45239887d2d81b8a6d4fa839c1e10

Download Submit
memory/788-78-0x00000000010C0000-0x000000000129C000-memory.dmp

Filesize
1.9MB

Download
memory/2096-7-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

Filesize
9.9MB

Download
memory/2096-6-0x0000000000390000-0x000000000039E000-memory.dmp

Filesize
56KB

Download
memory/2096-17-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

Filesize
9.9MB

Download
memory/2096-15-0x00000000003A0000-0x00000000003AC000-memory.dmp

Filesize
48KB

Download
memory/2096-13-0x0000000000560000-0x0000000000578000-memory.dmp

Filesize
96KB

Download
memory/2096-11-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

Filesize
9.9MB

Download
memory/2096-10-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

Filesize
9.9MB

Download
memory/2096-9-0x0000000000540000-0x000000000055C000-memory.dmp

Filesize
112KB

Download
memory/2096-0-0x000007FEF53A3000-0x000007FEF53A4000-memory.dmp

Filesize
4KB

Download
memory/2096-16-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

Filesize
9.9MB

Download
memory/2096-4-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

Filesize
9.9MB

Download
memory/2096-49-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

Filesize
9.9MB

Download
memory/2096-3-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

Filesize
9.9MB

Download
memory/2096-1-0x0000000000960000-0x0000000000B3C000-memory.dmp

Filesize
1.9MB

Download
memory/2096-2-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

Filesize
9.9MB

Download
memory/2636-65-0x0000000000680000-0x0000000000688000-memory.dmp

Filesize
32KB

Download
memory/2924-55-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download