dcrat | f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec

Analysis

max time kernel
140s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-12-2024 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
Size

1.8MB
MD5

68ef473852d3aefd8e5e4f2e00b3dfaa
SHA1

3ba2594ec459d1c9152558ebdd9611427347a73e
SHA256

f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec
SHA512

8602717380a4ad4ca7cbcdbb2373e63ff8578d58e6324d43530b134c6d7005469ff89c45bad773da978d4263a56c51efd331b09790f5708a563f26a513cad3ff
SSDEEP

49152:x4LJMXaJ0ypWp8GkSVPa7aQ8b0U51h3r:x4LJWeK3kE9QY53r

Score

10^/10

dcrat execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\taskhost.exe\", \"C:\\Windows\\Registration\\CRMLog\\wininit.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\ja-JP\\OSPPSVC.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\dllhost.exe\""	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\taskhost.exe\", \"C:\\Windows\\Registration\\CRMLog\\wininit.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\ja-JP\\OSPPSVC.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\dllhost.exe\", \"C:\\Users\\Public\\sppsvc.exe\""	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\taskhost.exe\", \"C:\\Windows\\Registration\\CRMLog\\wininit.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\ja-JP\\OSPPSVC.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\dllhost.exe\", \"C:\\Users\\Public\\sppsvc.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe\""	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\taskhost.exe\""	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\taskhost.exe\", \"C:\\Windows\\Registration\\CRMLog\\wininit.exe\""	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\taskhost.exe\", \"C:\\Windows\\Registration\\CRMLog\\wininit.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\ja-JP\\OSPPSVC.exe\""	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	2768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2768	schtasks.exe	31

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2832	powershell.exe
1848	powershell.exe
2612	powershell.exe
2840	powershell.exe
1044	powershell.exe
2532	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3064	dllhost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\taskhost.exe\""	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\taskhost.exe\""	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\Registration\\CRMLog\\wininit.exe\""	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\Registration\\CRMLog\\wininit.exe\""	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Public\\Pictures\\Sample Pictures\\dllhost.exe\""	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Public\\sppsvc.exe\""	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe\""	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\ja-JP\\OSPPSVC.exe\""	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\ja-JP\\OSPPSVC.exe\""	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Public\\Pictures\\Sample Pictures\\dllhost.exe\""	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Public\\sppsvc.exe\""	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe\""	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC6A3DA195E2B4420584CDD2471F6ED50.TMP	csc.exe
File created	\??\c:\Windows\System32\gxbog2.exe	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\OSPPSVC.exe	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\1610b97d3ab4a7	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\taskhost.exe	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\b75386f1303e64	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Registration\CRMLog\wininit.exe	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
File created	C:\Windows\Registration\CRMLog\56085415360792	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2552	schtasks.exe
2820	schtasks.exe
1264	schtasks.exe
776	schtasks.exe
2940	schtasks.exe
1940	schtasks.exe
2028	schtasks.exe
400	schtasks.exe
2664	schtasks.exe
1600	schtasks.exe
2448	schtasks.exe
2704	schtasks.exe
2952	schtasks.exe
2336	schtasks.exe
316	schtasks.exe
1724	schtasks.exe
1880	schtasks.exe
1620	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3064	dllhost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	3064	dllhost.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2296	2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	35
PID 2072 wrote to memory of 2296	2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	35
PID 2072 wrote to memory of 2296	2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	35
PID 2296 wrote to memory of 2544	2296	csc.exe	37
PID 2296 wrote to memory of 2544	2296	csc.exe	37
PID 2296 wrote to memory of 2544	2296	csc.exe	37
PID 2072 wrote to memory of 1848	2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	53
PID 2072 wrote to memory of 1848	2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	53
PID 2072 wrote to memory of 1848	2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	53
PID 2072 wrote to memory of 2832	2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	54
PID 2072 wrote to memory of 2832	2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	54
PID 2072 wrote to memory of 2832	2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	54
PID 2072 wrote to memory of 2840	2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	55
PID 2072 wrote to memory of 2840	2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	55
PID 2072 wrote to memory of 2840	2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	55
PID 2072 wrote to memory of 2612	2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	56
PID 2072 wrote to memory of 2612	2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	56
PID 2072 wrote to memory of 2612	2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	56
PID 2072 wrote to memory of 2532	2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	57
PID 2072 wrote to memory of 2532	2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	57
PID 2072 wrote to memory of 2532	2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	57
PID 2072 wrote to memory of 1044	2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	59
PID 2072 wrote to memory of 1044	2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	59
PID 2072 wrote to memory of 1044	2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	59
PID 2072 wrote to memory of 1924	2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	65
PID 2072 wrote to memory of 1924	2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	65
PID 2072 wrote to memory of 1924	2072	f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe	65
PID 1924 wrote to memory of 820	1924	cmd.exe	67
PID 1924 wrote to memory of 820	1924	cmd.exe	67
PID 1924 wrote to memory of 820	1924	cmd.exe	67
PID 1924 wrote to memory of 2132	1924	cmd.exe	68
PID 1924 wrote to memory of 2132	1924	cmd.exe	68
PID 1924 wrote to memory of 2132	1924	cmd.exe	68
PID 1924 wrote to memory of 3064	1924	cmd.exe	69
PID 1924 wrote to memory of 3064	1924	cmd.exe	69
PID 1924 wrote to memory of 3064	1924	cmd.exe	69

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe
"C:\Users\Admin\AppData\Local\Temp\f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bzl5jzve\bzl5jzve.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD411.tmp" "c:\Windows\System32\CSC6A3DA195E2B4420584CDD2471F6ED50.TMP"
    3⤵
    PID:2544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1044
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PFn5ugWHgB.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:820
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2132
- - C:\Users\Public\Pictures\Sample Pictures\dllhost.exe
    "C:\Users\Public\Pictures\Sample Pictures\dllhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\Registration\CRMLog\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\Registration\CRMLog\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\Sample Pictures\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Pictures\Sample Pictures\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Public\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Public\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ecf" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ecf" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\taskhost.exe

Filesize
1.8MB

MD5
68ef473852d3aefd8e5e4f2e00b3dfaa

SHA1
3ba2594ec459d1c9152558ebdd9611427347a73e

SHA256
f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec

SHA512
8602717380a4ad4ca7cbcdbb2373e63ff8578d58e6324d43530b134c6d7005469ff89c45bad773da978d4263a56c51efd331b09790f5708a563f26a513cad3ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\PFn5ugWHgB.bat

Filesize
228B

MD5
f8e89519e53dc5d31e73a93d6a4a0513

SHA1
df96ca9b9bffe8bde5909f72040715a2cb09b0d4

SHA256
e5ce115334a3fbb4fd7a7b7a1fde5e8a14e7813200b4673eb1ea0a7fb6b946e3

SHA512
89c72d2befe2677fd7e88fde9dd79793a504439966644307e40f2679741fea7414f5aafee52ade0c71810c7eab842f03cab0537eaed569f30cd8eac4d85048ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD411.tmp

Filesize
1KB

MD5
ad6470a0e8d27b12e34e0462ecd928ed

SHA1
69dcdf624cd988e33f4e2587ed20960cb7fb498c

SHA256
183598a7153cbf382be71b7f4c5a1a5d49f3c5b8612aabdf0d8b1cc0165398d9

SHA512
b1b64b35462a9f5b103dd4c87289c4402c7c0f469655429cc9cb6498a25208e08cd261f0e93003ca6276e33cc2bbf36706f28375dd0e6d8f3629889caae4b2d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
40d0dae5e3f5559c8e6fb5fdb2bfb64d

SHA1
4e5858528441ee39327369367ce645fa9411a916

SHA256
c603d7e671ac0cd52d9c3fdd99ab9c7acdb134bfc16727847fa9704d7712357d

SHA512
7ad807b40373d583fcd4c3108db8ce2478333dc78d8a318b356a2c7e3bcc3c47d3cd2351086ba5b93d7d635284cb8380d1d702431fb57297a1f7dd97d3f61c20

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bzl5jzve\bzl5jzve.0.cs

Filesize
413B

MD5
0308946a1d3c694a2e4c7c367429ee37

SHA1
e870ee4c359bb3c601076ee207bb2ac13b6023f8

SHA256
db90eeffc0342d91148b606db4ec1212da8263270804516eaf679a38fa475a8f

SHA512
410198cf991692e4245f186686a0a9b87c7d801b34ac2cabedcfcba913e7e94b7914aa3c1c2a4efcf86032dd6c901299001cfb858aa15f66b6f0462d0a34653a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bzl5jzve\bzl5jzve.cmdline

Filesize
235B

MD5
3ec8201d380794413fe959740c2a4dbd

SHA1
836e152351ce537432faa42a3b2a0d07835ee7aa

SHA256
ce6b8afa906433dd177a377cd069a5e327b06da40747fb2b73de5c24326c1b1c

SHA512
5485eff0d0568af35381d91bd3fdff7ef1abc23c7c0170f22d3b0d18a30fdc7f5eea460f88cc0d95a96dc02ba5315d3b5f93bf205a84ea6c1b90b673efefc7dd

Download Submit
\??\c:\Windows\System32\CSC6A3DA195E2B4420584CDD2471F6ED50.TMP

Filesize
1KB

MD5
dbb2cd021b80875d9c777c705ef845c8

SHA1
3ed0cde3b4f4d8267c3cddd37dd4ede100b5ecce

SHA256
a4d8c8c391bc1975510bdea24653db0f578d998dead4ce7f8a85eb8fbb3ec829

SHA512
a8076e4d1b1641e189d2066050809ce0cce557e23c110fba77c2cfb7448b5915252b2e2f4d3443f708941277b947b951cfba6c191980a09b8c7710589c766c8e

Download Submit
memory/1848-56-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/1848-57-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/2072-7-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Filesize
9.9MB

Download
memory/2072-9-0x00000000004C0000-0x00000000004DC000-memory.dmp

Filesize
112KB

Download
memory/2072-13-0x00000000004A0000-0x00000000004AC000-memory.dmp

Filesize
48KB

Download
memory/2072-26-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Filesize
9.9MB

Download
memory/2072-27-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Filesize
9.9MB

Download
memory/2072-28-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Filesize
9.9MB

Download
memory/2072-11-0x0000000000910000-0x0000000000928000-memory.dmp

Filesize
96KB

Download
memory/2072-14-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Filesize
9.9MB

Download
memory/2072-0-0x000007FEF5C73000-0x000007FEF5C74000-memory.dmp

Filesize
4KB

Download
memory/2072-6-0x0000000000490000-0x000000000049E000-memory.dmp

Filesize
56KB

Download
memory/2072-45-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Filesize
9.9MB

Download
memory/2072-4-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Filesize
9.9MB

Download
memory/2072-3-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Filesize
9.9MB

Download
memory/2072-2-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Filesize
9.9MB

Download
memory/2072-1-0x0000000000950000-0x0000000000B2C000-memory.dmp

Filesize
1.9MB

Download
memory/3064-80-0x0000000000C90000-0x0000000000E6C000-memory.dmp

Filesize
1.9MB

Download