dcrat | 4acc21ce239f8eadca573c53b92cc49b96a9d7b96f7cfe4a5511847148839a2a

Analysis

max time kernel
117s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-01-2025 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3614F4C4B137E627F03D0118F4779D52.exe
Size

1.8MB
MD5

3614f4c4b137e627f03d0118f4779d52
SHA1

07120124f394eddb46c3c2a985063718d17fc48d
SHA256

4acc21ce239f8eadca573c53b92cc49b96a9d7b96f7cfe4a5511847148839a2a
SHA512

bfc1cb74b69f1bc0e47eefee7614760edfe068ac9471ed211a87d4b1a47f8f2e784db2beb79b23988ba7810d525eb2463f75eacf0df9f560a2d2e0e52a0e7c7f
SSDEEP

24576:wwkCsYsgFFuqj/oBxyALwMosh651ZBvISmXqD0Z+rtyumwwI3PXGSfaeiLUb+7xE:B5kBTXYD3Yo0ZKy7IfXGfLU67x6sg

Score

10^/10

dcrat execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\spoolsv.exe\""	3614F4C4B137E627F03D0118F4779D52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\spoolsv.exe\", \"C:\\Users\\Default\\Recent\\3614F4C4B137E627F03D0118F4779D52.exe\""	3614F4C4B137E627F03D0118F4779D52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\spoolsv.exe\", \"C:\\Users\\Default\\Recent\\3614F4C4B137E627F03D0118F4779D52.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\WMIADAP.exe\""	3614F4C4B137E627F03D0118F4779D52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\spoolsv.exe\", \"C:\\Users\\Default\\Recent\\3614F4C4B137E627F03D0118F4779D52.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\WMIADAP.exe\", \"C:\\Windows\\Downloaded Program Files\\dwm.exe\""	3614F4C4B137E627F03D0118F4779D52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\spoolsv.exe\", \"C:\\Users\\Default\\Recent\\3614F4C4B137E627F03D0118F4779D52.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\WMIADAP.exe\", \"C:\\Windows\\Downloaded Program Files\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\Idle.exe\""	3614F4C4B137E627F03D0118F4779D52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\spoolsv.exe\", \"C:\\Users\\Default\\Recent\\3614F4C4B137E627F03D0118F4779D52.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\WMIADAP.exe\", \"C:\\Windows\\Downloaded Program Files\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\Idle.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\3614F4C4B137E627F03D0118F4779D52.exe\""	3614F4C4B137E627F03D0118F4779D52.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	2796	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2796	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2796	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2796	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2796	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2796	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2796	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2796	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2796	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2796	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2796	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	2796	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2796	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2796	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	2796	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2796	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2796	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	2796	schtasks.exe	31

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2336	powershell.exe
1780	powershell.exe
528	powershell.exe
1964	powershell.exe
2212	powershell.exe
2380	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
604	Idle.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\3614F4C4B137E627F03D0118F4779D52 = "\"C:\\Users\\Default\\Recent\\3614F4C4B137E627F03D0118F4779D52.exe\""	3614F4C4B137E627F03D0118F4779D52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3614F4C4B137E627F03D0118F4779D52 = "\"C:\\Users\\Default\\Recent\\3614F4C4B137E627F03D0118F4779D52.exe\""	3614F4C4B137E627F03D0118F4779D52.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\WMIADAP.exe\""	3614F4C4B137E627F03D0118F4779D52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\WMIADAP.exe\""	3614F4C4B137E627F03D0118F4779D52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Downloaded Program Files\\dwm.exe\""	3614F4C4B137E627F03D0118F4779D52.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\Idle.exe\""	3614F4C4B137E627F03D0118F4779D52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\Idle.exe\""	3614F4C4B137E627F03D0118F4779D52.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Default\\Downloads\\spoolsv.exe\""	3614F4C4B137E627F03D0118F4779D52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3614F4C4B137E627F03D0118F4779D52 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\3614F4C4B137E627F03D0118F4779D52.exe\""	3614F4C4B137E627F03D0118F4779D52.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\3614F4C4B137E627F03D0118F4779D52 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\3614F4C4B137E627F03D0118F4779D52.exe\""	3614F4C4B137E627F03D0118F4779D52.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Downloaded Program Files\\dwm.exe\""	3614F4C4B137E627F03D0118F4779D52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Default\\Downloads\\spoolsv.exe\""	3614F4C4B137E627F03D0118F4779D52.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ipinfo.io
8	ipinfo.io

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCD4A4E3E51DF7483FB540CFB0702499A9.TMP	csc.exe
File created	\??\c:\Windows\System32\3kmwe8.exe	csc.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\Idle.exe	3614F4C4B137E627F03D0118F4779D52.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\Idle.exe	3614F4C4B137E627F03D0118F4779D52.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\6ccacd8608530f	3614F4C4B137E627F03D0118F4779D52.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Downloaded Program Files\dwm.exe	3614F4C4B137E627F03D0118F4779D52.exe
File created	C:\Windows\Downloaded Program Files\6cb0b6c459d5d3	3614F4C4B137E627F03D0118F4779D52.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Idle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Idle.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2904	schtasks.exe
2640	schtasks.exe
2284	schtasks.exe
1256	schtasks.exe
3004	schtasks.exe
744	schtasks.exe
2832	schtasks.exe
2668	schtasks.exe
2936	schtasks.exe
1904	schtasks.exe
1380	schtasks.exe
2292	schtasks.exe
2748	schtasks.exe
1148	schtasks.exe
2968	schtasks.exe
1280	schtasks.exe
2040	schtasks.exe
2960	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe
2204	3614F4C4B137E627F03D0118F4779D52.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2204	3614F4C4B137E627F03D0118F4779D52.exe
Token: SeDebugPrivilege	528	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	604	Idle.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2912	2204	3614F4C4B137E627F03D0118F4779D52.exe	35
PID 2204 wrote to memory of 2912	2204	3614F4C4B137E627F03D0118F4779D52.exe	35
PID 2204 wrote to memory of 2912	2204	3614F4C4B137E627F03D0118F4779D52.exe	35
PID 2912 wrote to memory of 2804	2912	csc.exe	37
PID 2912 wrote to memory of 2804	2912	csc.exe	37
PID 2912 wrote to memory of 2804	2912	csc.exe	37
PID 2204 wrote to memory of 2380	2204	3614F4C4B137E627F03D0118F4779D52.exe	53
PID 2204 wrote to memory of 2380	2204	3614F4C4B137E627F03D0118F4779D52.exe	53
PID 2204 wrote to memory of 2380	2204	3614F4C4B137E627F03D0118F4779D52.exe	53
PID 2204 wrote to memory of 2212	2204	3614F4C4B137E627F03D0118F4779D52.exe	54
PID 2204 wrote to memory of 2212	2204	3614F4C4B137E627F03D0118F4779D52.exe	54
PID 2204 wrote to memory of 2212	2204	3614F4C4B137E627F03D0118F4779D52.exe	54
PID 2204 wrote to memory of 1964	2204	3614F4C4B137E627F03D0118F4779D52.exe	56
PID 2204 wrote to memory of 1964	2204	3614F4C4B137E627F03D0118F4779D52.exe	56
PID 2204 wrote to memory of 1964	2204	3614F4C4B137E627F03D0118F4779D52.exe	56
PID 2204 wrote to memory of 528	2204	3614F4C4B137E627F03D0118F4779D52.exe	57
PID 2204 wrote to memory of 528	2204	3614F4C4B137E627F03D0118F4779D52.exe	57
PID 2204 wrote to memory of 528	2204	3614F4C4B137E627F03D0118F4779D52.exe	57
PID 2204 wrote to memory of 1780	2204	3614F4C4B137E627F03D0118F4779D52.exe	58
PID 2204 wrote to memory of 1780	2204	3614F4C4B137E627F03D0118F4779D52.exe	58
PID 2204 wrote to memory of 1780	2204	3614F4C4B137E627F03D0118F4779D52.exe	58
PID 2204 wrote to memory of 2336	2204	3614F4C4B137E627F03D0118F4779D52.exe	59
PID 2204 wrote to memory of 2336	2204	3614F4C4B137E627F03D0118F4779D52.exe	59
PID 2204 wrote to memory of 2336	2204	3614F4C4B137E627F03D0118F4779D52.exe	59
PID 2204 wrote to memory of 2552	2204	3614F4C4B137E627F03D0118F4779D52.exe	65
PID 2204 wrote to memory of 2552	2204	3614F4C4B137E627F03D0118F4779D52.exe	65
PID 2204 wrote to memory of 2552	2204	3614F4C4B137E627F03D0118F4779D52.exe	65
PID 2552 wrote to memory of 1708	2552	cmd.exe	67
PID 2552 wrote to memory of 1708	2552	cmd.exe	67
PID 2552 wrote to memory of 1708	2552	cmd.exe	67
PID 2552 wrote to memory of 1912	2552	cmd.exe	68
PID 2552 wrote to memory of 1912	2552	cmd.exe	68
PID 2552 wrote to memory of 1912	2552	cmd.exe	68
PID 2552 wrote to memory of 604	2552	cmd.exe	69
PID 2552 wrote to memory of 604	2552	cmd.exe	69
PID 2552 wrote to memory of 604	2552	cmd.exe	69

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3614F4C4B137E627F03D0118F4779D52.exe
"C:\Users\Admin\AppData\Local\Temp\3614F4C4B137E627F03D0118F4779D52.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wyxculx0\wyxculx0.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD3D3.tmp" "c:\Windows\System32\CSCD4A4E3E51DF7483FB540CFB0702499A9.TMP"
    3⤵
    PID:2804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Downloads\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\3614F4C4B137E627F03D0118F4779D52.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WMIADAP.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\it-IT\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\3614F4C4B137E627F03D0118F4779D52.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cy8ISVXXgP.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1708
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1912
- - C:\Program Files (x86)\Windows Photo Viewer\it-IT\Idle.exe
    "C:\Program Files (x86)\Windows Photo Viewer\it-IT\Idle.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Downloads\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\Downloads\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Downloads\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3614F4C4B137E627F03D0118F4779D523" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Recent\3614F4C4B137E627F03D0118F4779D52.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3614F4C4B137E627F03D0118F4779D52" /sc ONLOGON /tr "'C:\Users\Default\Recent\3614F4C4B137E627F03D0118F4779D52.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3614F4C4B137E627F03D0118F4779D523" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Recent\3614F4C4B137E627F03D0118F4779D52.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\Downloaded Program Files\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\Downloaded Program Files\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3614F4C4B137E627F03D0118F4779D523" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\3614F4C4B137E627F03D0118F4779D52.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3614F4C4B137E627F03D0118F4779D52" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\3614F4C4B137E627F03D0118F4779D52.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3614F4C4B137E627F03D0118F4779D523" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\3614F4C4B137E627F03D0118F4779D52.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD3D3.tmp

Filesize
1KB

MD5
185244ce1432041d1b38cb941907d078

SHA1
804949d8fdb9c3349054be2d04774417646a0096

SHA256
6d25bad122d0bf7f554a67b75f25ba02698eada4d48d94e8c1793216a2b51eff

SHA512
05777ba5742cc69bd98e454c8562ceb684a038232e32f8437dd6ee714c774b94ccd69ec9b54217f2dde82d58d63eb7763b6b76817ebf160e3c852ad7964a68c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cy8ISVXXgP.bat

Filesize
234B

MD5
997e755e20d49d06d4c16d4f69e10784

SHA1
a149db9f5cb73b14f9bd60b080a78fc279616b28

SHA256
d49a2de3f6c70181c42898201a9c6fc427d8e3e75b45e70fc08ac1724b3d4f7d

SHA512
eb477dd236877fc79da5f826117b11a17322abc29d5f5d3552c5c624af5d6025bf54ba8f51d7f73cd59086ed105c323866de6a7929115254b8f0c7dfef905111

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0484235c379f1de9b109f8037e710f83

SHA1
5cd590c75e9499b251d1974afab2436ac57f9da6

SHA256
8e6b32831aa2d990b8d627de0e2a5f6ab33ef92bc9145616bcb7abcf98acf421

SHA512
1fe6fb51dfbd57e7a44f7f3ad82c7ad4a31cda137b5d46bbedcd98c536fc003bbe5aec276d70ae56a10b2deeece5bab28a1605a7c202e2f0f967b3a7e7b83778

Download Submit
C:\Users\Default\Downloads\spoolsv.exe

Filesize
1.8MB

MD5
3614f4c4b137e627f03d0118f4779d52

SHA1
07120124f394eddb46c3c2a985063718d17fc48d

SHA256
4acc21ce239f8eadca573c53b92cc49b96a9d7b96f7cfe4a5511847148839a2a

SHA512
bfc1cb74b69f1bc0e47eefee7614760edfe068ac9471ed211a87d4b1a47f8f2e784db2beb79b23988ba7810d525eb2463f75eacf0df9f560a2d2e0e52a0e7c7f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wyxculx0\wyxculx0.0.cs

Filesize
370B

MD5
fc29bfd2cc70fc5f9542bc87a1f0f7bd

SHA1
87214cf53eda158d22f7721fd85b36904da1e980

SHA256
969cb860df4b89baad023e229906b8c2db886bdb6f723fb9f0a730172e337081

SHA512
3f03029bf84aec4e76b860059140888638b697c485e3e9a29b18bcdb93359bf8a7a747a62cc56ff23a8954018ff89cbe75387f2ad3c389f4ff98de9a96c7f396

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wyxculx0\wyxculx0.cmdline

Filesize
235B

MD5
2996e3e4a18038f162f24687d3ec8f4f

SHA1
5012a8eb3dd4a6d1d029029774c664d0951c3a67

SHA256
a99030f3b5e13d176b2c68e09c384e3986ceafef47d4186f3a0480a16a289c07

SHA512
4e7e98f1e18f3c07dc3b50609e8e26133b9996e0ccdb09a1e93bff114ef73d1ab77abaf2fa12e91446c3309e795ec570397a65071bde2e4cc1b45efb1c554c00

Download Submit
\??\c:\Windows\System32\CSCD4A4E3E51DF7483FB540CFB0702499A9.TMP

Filesize
1KB

MD5
8c85ef91c6071d33745325a8fa351c3e

SHA1
e3311ceef28823eec99699cc35be27c94eca52d2

SHA256
8db3e3a5515da1933036688a9b1918cfc3339fc687008c5325461271904b2d41

SHA512
2bb89b07fe46b1c406ed6a560e88cb2b8402b1d61bb71e10887bad661751f64f1e5317fd6c1b301ea4766785b915da31b64e0475cfe36c1f950b32915b5dab7d

Download Submit
memory/528-79-0x00000000026D0000-0x00000000026D8000-memory.dmp

Filesize
32KB

Download
memory/528-78-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/604-83-0x0000000001360000-0x000000000153E000-memory.dmp

Filesize
1.9MB

Download
memory/2204-7-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/2204-10-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/2204-19-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/2204-18-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/2204-21-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/2204-17-0x0000000000330000-0x000000000033C000-memory.dmp

Filesize
48KB

Download
memory/2204-12-0x0000000000360000-0x0000000000378000-memory.dmp

Filesize
96KB

Download
memory/2204-14-0x0000000000320000-0x0000000000328000-memory.dmp

Filesize
32KB

Download
memory/2204-15-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/2204-9-0x0000000000340000-0x000000000035C000-memory.dmp

Filesize
112KB

Download
memory/2204-0-0x000007FEF5A23000-0x000007FEF5A24000-memory.dmp

Filesize
4KB

Download
memory/2204-67-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/2204-6-0x0000000000310000-0x000000000031E000-memory.dmp

Filesize
56KB

Download
memory/2204-4-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/2204-3-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/2204-2-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/2204-1-0x0000000000380000-0x000000000055E000-memory.dmp

Filesize
1.9MB

Download