dcrat | aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2024 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Size

2.7MB
MD5

8b744166eecace320158f4d0f704b13e
SHA1

b92636084b3bd914514bc44556c4803933d667a3
SHA256

aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9
SHA512

641b3065e30186ccf9ba84ce6d345565763bbdb5fc1b1201c3f08fce5466c2384250b85b4c0220d2b9e21c5a51ff5ef60e9b910e07107e2b7e06f97b4e429d27
SSDEEP

24576:l+O4GuNVHU+AH2FWxOYIOlIZBrlsQBYI63DSyve5fG:s3N5IO6OtsMYIxS

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 43 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\spoolsv.exe\", \"C:\\Windows\\System32\\NetworkCollectionAgent\\lsass.exe\", \"C:\\Windows\\System32\\ProximityRtapiPal\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\SearchApp.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140\\OfficeClickToRun.exe\", \"C:\\Windows\\SKB\\LanguageModels\\winlogon.exe\", \"C:\\Windows\\System32\\ieui\\taskhostw.exe\""		aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\ieui\\taskhostw.exe\""		aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\System32\\iuilp\\sihost.exe\""		aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
		4708	schtasks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\NetworkCollectionAgent\\lsass.exe\""		aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""		aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
		5004	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\spoolsv.exe\", \"C:\\Windows\\System32\\NetworkCollectionAgent\\lsass.exe\", \"C:\\Windows\\System32\\ProximityRtapiPal\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\SearchApp.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140\\OfficeClickToRun.exe\", \"C:\\Windows\\SKB\\LanguageModels\\winlogon.exe\""		aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\""		aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\spoolsv.exe\""		aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
		3696	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\spoolsv.exe\", \"C:\\Windows\\System32\\NetworkCollectionAgent\\lsass.exe\", \"C:\\Windows\\System32\\ProximityRtapiPal\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\SearchApp.exe\""		aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\spoolsv.exe\", \"C:\\Windows\\System32\\NetworkCollectionAgent\\lsass.exe\""		aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
		4764	schtasks.exe
		4316	schtasks.exe
		948	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\NetworkCollectionAgent\\lsass.exe\""		aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
		2716	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files (x86)\\Windows Portable Devices\\SearchApp.exe\""		aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\SKB\\LanguageModels\\winlogon.exe\""		aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\""		aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
		4800	schtasks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""		aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""		aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\System32\\iuilp\\sihost.exe\""		aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\ProximityRtapiPal\\RuntimeBroker.exe\""		aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files (x86)\\Windows Portable Devices\\SearchApp.exe\""		aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\spoolsv.exe\", \"C:\\Windows\\System32\\NetworkCollectionAgent\\lsass.exe\", \"C:\\Windows\\System32\\ProximityRtapiPal\\RuntimeBroker.exe\""		aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\spoolsv.exe\", \"C:\\Windows\\System32\\NetworkCollectionAgent\\lsass.exe\", \"C:\\Windows\\System32\\ProximityRtapiPal\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\SearchApp.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140\\OfficeClickToRun.exe\""		aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140\\OfficeClickToRun.exe\""		aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
		4656	schtasks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\""		aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
		1092	schtasks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\ProximityRtapiPal\\RuntimeBroker.exe\""		aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\SKB\\LanguageModels\\winlogon.exe\""		aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
		4992	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140\\OfficeClickToRun.exe\""		aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\ieui\\taskhostw.exe\""		aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\spoolsv.exe\""		aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\spoolsv.exe\""		aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\spoolsv.exe\", \"C:\\Windows\\System32\\NetworkCollectionAgent\\lsass.exe\", \"C:\\Windows\\System32\\ProximityRtapiPal\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\SearchApp.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140\\OfficeClickToRun.exe\", \"C:\\Windows\\SKB\\LanguageModels\\winlogon.exe\", \"C:\\Windows\\System32\\ieui\\taskhostw.exe\", \"C:\\Windows\\System32\\iuilp\\sihost.exe\""		aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
		2216	schtasks.exe
		3516	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 13 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\spoolsv.exe\", \"C:\\Windows\\System32\\NetworkCollectionAgent\\lsass.exe\", \"C:\\Windows\\System32\\ProximityRtapiPal\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\SearchApp.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140\\OfficeClickToRun.exe\", \"C:\\Windows\\SKB\\LanguageModels\\winlogon.exe\""	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\spoolsv.exe\", \"C:\\Windows\\System32\\NetworkCollectionAgent\\lsass.exe\", \"C:\\Windows\\System32\\ProximityRtapiPal\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\SearchApp.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140\\OfficeClickToRun.exe\", \"C:\\Windows\\SKB\\LanguageModels\\winlogon.exe\", \"C:\\Windows\\System32\\ieui\\taskhostw.exe\", \"C:\\Windows\\System32\\iuilp\\sihost.exe\""	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\""	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\spoolsv.exe\", \"C:\\Windows\\System32\\NetworkCollectionAgent\\lsass.exe\""	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\spoolsv.exe\", \"C:\\Windows\\System32\\NetworkCollectionAgent\\lsass.exe\", \"C:\\Windows\\System32\\ProximityRtapiPal\\RuntimeBroker.exe\""	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\spoolsv.exe\", \"C:\\Windows\\System32\\NetworkCollectionAgent\\lsass.exe\", \"C:\\Windows\\System32\\ProximityRtapiPal\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\SearchApp.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140\\OfficeClickToRun.exe\""	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\spoolsv.exe\", \"C:\\Windows\\System32\\NetworkCollectionAgent\\lsass.exe\", \"C:\\Windows\\System32\\ProximityRtapiPal\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\SearchApp.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140\\OfficeClickToRun.exe\", \"C:\\Windows\\SKB\\LanguageModels\\winlogon.exe\", \"C:\\Windows\\System32\\ieui\\taskhostw.exe\", \"C:\\Windows\\System32\\iuilp\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\""	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\spoolsv.exe\", \"C:\\Windows\\System32\\NetworkCollectionAgent\\lsass.exe\", \"C:\\Windows\\System32\\ProximityRtapiPal\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\SearchApp.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140\\OfficeClickToRun.exe\", \"C:\\Windows\\SKB\\LanguageModels\\winlogon.exe\", \"C:\\Windows\\System32\\ieui\\taskhostw.exe\", \"C:\\Windows\\System32\\iuilp\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\Idle.exe\""	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\spoolsv.exe\", \"C:\\Windows\\System32\\NetworkCollectionAgent\\lsass.exe\", \"C:\\Windows\\System32\\ProximityRtapiPal\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\SearchApp.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140\\OfficeClickToRun.exe\", \"C:\\Windows\\SKB\\LanguageModels\\winlogon.exe\", \"C:\\Windows\\System32\\ieui\\taskhostw.exe\", \"C:\\Windows\\System32\\iuilp\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\Idle.exe\", \"C:\\Windows\\System32\\wbem\\wsp_fs_uninstall\\WmiPrvSE.exe\""	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\spoolsv.exe\""	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\spoolsv.exe\", \"C:\\Windows\\System32\\NetworkCollectionAgent\\lsass.exe\", \"C:\\Windows\\System32\\ProximityRtapiPal\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\SearchApp.exe\""	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\spoolsv.exe\", \"C:\\Windows\\System32\\NetworkCollectionAgent\\lsass.exe\", \"C:\\Windows\\System32\\ProximityRtapiPal\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\SearchApp.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140\\OfficeClickToRun.exe\", \"C:\\Windows\\SKB\\LanguageModels\\winlogon.exe\", \"C:\\Windows\\System32\\ieui\\taskhostw.exe\""	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe

Process spawned unexpected child process 13 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	612	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	612	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	612	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	612	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4316	612	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	612	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	612	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3696	612	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	612	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	612	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	612	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	612	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3516	612	schtasks.exe	82

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe

Executes dropped EXE 1 IoCs

pid	Process
1164	sihost.exe

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Recovery\\WindowsRE\\sihost.exe\""	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\wsp_fs_uninstall\\WmiPrvSE.exe\""	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\System32\\iuilp\\sihost.exe\""	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\spoolsv.exe\""	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files (x86)\\Windows Portable Devices\\SearchApp.exe\""	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140\\OfficeClickToRun.exe\""	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\""	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\NetworkCollectionAgent\\lsass.exe\""	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\NetworkCollectionAgent\\lsass.exe\""	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\ProximityRtapiPal\\RuntimeBroker.exe\""	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\ProximityRtapiPal\\RuntimeBroker.exe\""	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\SKB\\LanguageModels\\winlogon.exe\""	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\SKB\\LanguageModels\\winlogon.exe\""	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\Idle.exe\""	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\spoolsv.exe\""	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files (x86)\\Windows Portable Devices\\SearchApp.exe\""	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140\\OfficeClickToRun.exe\""	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\ieui\\taskhostw.exe\""	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\ieui\\taskhostw.exe\""	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\System32\\iuilp\\sihost.exe\""	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Recovery\\WindowsRE\\sihost.exe\""	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\""	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\wsp_fs_uninstall\\WmiPrvSE.exe\""	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\Idle.exe\""	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\System32\wbem\wsp_fs_uninstall\WmiPrvSE.exe	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
File created	C:\Windows\System32\NetworkCollectionAgent\lsass.exe	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
File opened for modification	C:\Windows\System32\ProximityRtapiPal\RuntimeBroker.exe	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
File created	C:\Windows\System32\ProximityRtapiPal\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
File created	C:\Windows\System32\ieui\taskhostw.exe	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
File created	C:\Windows\System32\iuilp\66fc9ff0ee96c2b21f0cfded48750ae9e3032bf3	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
File created	C:\Windows\System32\wbem\wsp_fs_uninstall\24dbde2999530ef5fd907494bc374d663924116c	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
File created	C:\Windows\System32\NetworkCollectionAgent\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
File created	C:\Windows\System32\ProximityRtapiPal\RuntimeBroker.exe	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
File created	C:\Windows\System32\ieui\ea9f0e6c9e2dcd4dfacdaf29ba21541fb815a988	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
File created	C:\Windows\System32\iuilp\sihost.exe	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\Idle.exe	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\6ccacd8608530fba3a93e87ae2225c7032aa18c1	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\spoolsv.exe	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
File created	C:\Program Files (x86)\Windows Portable Devices\SearchApp.exe	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
File created	C:\Program Files (x86)\Windows Portable Devices\38384e6a620884a6b69bcc56f80d556f9200171c	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\concrt140\OfficeClickToRun.exe	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\concrt140\e6c9b481da804f07baff8eff543b0a1441069b5d	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SKB\LanguageModels\winlogon.exe	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
File created	C:\Windows\SKB\LanguageModels\cc11b995f2a76da408ea6a601e682e64743153ad	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4800	schtasks.exe
4708	schtasks.exe
4992	schtasks.exe
5004	schtasks.exe
2216	schtasks.exe
4656	schtasks.exe
3516	schtasks.exe
4764	schtasks.exe
948	schtasks.exe
4316	schtasks.exe
2716	schtasks.exe
1092	schtasks.exe
3696	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4320	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
1356	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
1568	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
1164	sihost.exe
1164	sihost.exe
1164	sihost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4320	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Token: SeDebugPrivilege	1356	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Token: SeDebugPrivilege	1568	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
Token: SeDebugPrivilege	1164	sihost.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4320 wrote to memory of 1356	4320	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe	87
PID 4320 wrote to memory of 1356	4320	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe	87
PID 1356 wrote to memory of 4920	1356	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe	94
PID 1356 wrote to memory of 4920	1356	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe	94
PID 4920 wrote to memory of 3068	4920	cmd.exe	96
PID 4920 wrote to memory of 3068	4920	cmd.exe	96
PID 4920 wrote to memory of 1568	4920	cmd.exe	100
PID 4920 wrote to memory of 1568	4920	cmd.exe	100
PID 1568 wrote to memory of 1064	1568	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe	104
PID 1568 wrote to memory of 1064	1568	aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe	104
PID 1064 wrote to memory of 4004	1064	cmd.exe	106
PID 1064 wrote to memory of 4004	1064	cmd.exe	106
PID 1064 wrote to memory of 1164	1064	cmd.exe	110
PID 1064 wrote to memory of 1164	1064	cmd.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
"C:\Users\Admin\AppData\Local\Temp\aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Users\Admin\AppData\Local\Temp\aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
  "C:\Users\Admin\AppData\Local\Temp\aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe"
  2⤵
  - DcRat
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IoomRerVO2.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4920
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:3068
  - - C:\Users\Admin\AppData\Local\Temp\aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
      "C:\Users\Admin\AppData\Local\Temp\aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1568
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uqUx6UrUG7.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1064
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4004
      - C:\Recovery\WindowsRE\sihost.exe
        
        "C:\Recovery\WindowsRE\sihost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\NetworkCollectionAgent\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\ProximityRtapiPal\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\concrt140\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\System32\ieui\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\System32\iuilp\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\wsp_fs_uninstall\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe.log

Filesize
1KB

MD5
b7c0c43fc7804baaa7dc87152cdc9554

SHA1
1bab62bd56af745678d4e967d91e1ccfdeed4038

SHA256
46386a61f3aaf1b1c2e6efc9fc7e9e9ff16cd13ae58b8d856835771fedb6d457

SHA512
9fda3dd00a3406137e0113f13f78e77b20a76512b35820d38df696842cbbf2e2ebabfb99a3846c9637ecb54af858ec1551521187e379872973006426a253f769

Download Submit
C:\Users\Admin\AppData\Local\Temp\IoomRerVO2.bat

Filesize
266B

MD5
4e35461ff48ba76a7eb2ff8ba7e38175

SHA1
fa9a2c382c7b9463da3165beef074eb24704cf2b

SHA256
c3c5a90c0cb1e276fc8a06623cf51dbee4219ee5a0868e1a6d9f015c211ed6ac

SHA512
9d77f5d5ebc8a7fdcc5bcb06edc4453fd42eefe6b24f4c34514643e0db6611bca434acb38ee58a16a9c3c82e28ab2e4612f8bdac19326f1a797140052436dabf

Download Submit
C:\Users\Admin\AppData\Local\Temp\uqUx6UrUG7.bat

Filesize
196B

MD5
631b0e9773047e9cbbce419e15aad153

SHA1
4a7298b0e1dab5c76bf11e2c31969a9a66302191

SHA256
73ced6a5ccb581396b6977eca5150fe9daaacfafc40da6913e8671d1a4fe1622

SHA512
a55e82e088f7e53e8876cfc6a22d9e7e74a8cf9c93e5b3eef1be15a4f7b2c70c9b0e648fceda0b642727d8c3aa01fdd93e048192c4431d4d2bd131ba5af3bec1

Download Submit
C:\Windows\System32\ProximityRtapiPal\RuntimeBroker.exe

Filesize
2.7MB

MD5
8b744166eecace320158f4d0f704b13e

SHA1
b92636084b3bd914514bc44556c4803933d667a3

SHA256
aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9

SHA512
641b3065e30186ccf9ba84ce6d345565763bbdb5fc1b1201c3f08fce5466c2384250b85b4c0220d2b9e21c5a51ff5ef60e9b910e07107e2b7e06f97b4e429d27

Download Submit
memory/1164-45-0x0000000000E10000-0x0000000000E1C000-memory.dmp

Filesize
48KB

Download
memory/1164-46-0x0000000000E20000-0x0000000000E2C000-memory.dmp

Filesize
48KB

Download
memory/1164-47-0x0000000000E50000-0x0000000000E5C000-memory.dmp

Filesize
48KB

Download
memory/1164-48-0x0000000002650000-0x0000000002658000-memory.dmp

Filesize
32KB

Download
memory/1164-49-0x0000000000E30000-0x0000000000E3A000-memory.dmp

Filesize
40KB

Download
memory/4320-4-0x00007FFB28110000-0x00007FFB28BD1000-memory.dmp

Filesize
10.8MB

Download
memory/4320-1-0x0000000000F40000-0x00000000011EE000-memory.dmp

Filesize
2.7MB

Download
memory/4320-13-0x00007FFB28110000-0x00007FFB28BD1000-memory.dmp

Filesize
10.8MB

Download
memory/4320-0-0x00007FFB28113000-0x00007FFB28115000-memory.dmp

Filesize
8KB

Download