dcrat | 73b461a9d859f019ed4f0dda1e0cc86a36b826bde0f318e806503876056b41c0

Analysis

max time kernel
137s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/01/2025, 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SearchIndexer.exe
Size

3.6MB
MD5

f2997dfb6f126670204c83344b678f0e
SHA1

fb1a90117ff594cac3b2cebbbbd072674f246ce3
SHA256

73b461a9d859f019ed4f0dda1e0cc86a36b826bde0f318e806503876056b41c0
SHA512

20bd6c2e2aebf5e96f8d9497880538061f23ed8b925cf916749da16db6339a2dd2ff5166aa0c096e23f7654e5b2959d9af108cf5ccf68291cc80f8c7c2d235ad
SSDEEP

98304:NzRppqmmRX+6fo6du/5P2nPNWNG5trztTgyz+65WzU:NzRppqVDqOnVWNG5bR+65WzU

Score

10^/10

dcrat neshta discovery execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Detect Neshta payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0001000000010314-11.dat	family_neshta
behavioral1/memory/3036-233-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3036-235-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	736	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2636	schtasks.exe	31

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1548	powershell.exe
1172	powershell.exe
1048	powershell.exe
2172	powershell.exe
1760	powershell.exe
560	powershell.exe
1656	powershell.exe
2324	powershell.exe
932	powershell.exe
1724	powershell.exe
612	powershell.exe
1888	powershell.exe
988	powershell.exe
2100	powershell.exe
580	powershell.exe
1136	powershell.exe
1900	powershell.exe
1920	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2376	SearchIndexer.exe
2420	dllhost.exe

Loads dropped DLL 3 IoCs

pid	Process
3036	SearchIndexer.exe
3036	SearchIndexer.exe
3036	SearchIndexer.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\it-IT\Licenses\_Default\taskhost.exe	SearchIndexer.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	SearchIndexer.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	SearchIndexer.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	SearchIndexer.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	SearchIndexer.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\c5b4cb5e9653cc	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	SearchIndexer.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	SearchIndexer.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	SearchIndexer.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\services.exe	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	SearchIndexer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	SearchIndexer.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	SearchIndexer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SearchIndexer.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2464	PING.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	SearchIndexer.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2464	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2472	schtasks.exe
2148	schtasks.exe
2680	schtasks.exe
2396	schtasks.exe
2964	schtasks.exe
1536	schtasks.exe
1604	schtasks.exe
316	schtasks.exe
1896	schtasks.exe
2772	schtasks.exe
1472	schtasks.exe
1540	schtasks.exe
736	schtasks.exe
1876	schtasks.exe
1520	schtasks.exe
1644	schtasks.exe
1076	schtasks.exe
2672	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe
2376	SearchIndexer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2420	dllhost.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2376	SearchIndexer.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	932	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeDebugPrivilege	1172	powershell.exe
Token: SeDebugPrivilege	988	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	1136	powershell.exe
Token: SeDebugPrivilege	580	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	612	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	1048	powershell.exe
Token: SeDebugPrivilege	2420	dllhost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2420	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 2376	3036	SearchIndexer.exe	30
PID 3036 wrote to memory of 2376	3036	SearchIndexer.exe	30
PID 3036 wrote to memory of 2376	3036	SearchIndexer.exe	30
PID 3036 wrote to memory of 2376	3036	SearchIndexer.exe	30
PID 2376 wrote to memory of 1656	2376	SearchIndexer.exe	50
PID 2376 wrote to memory of 1656	2376	SearchIndexer.exe	50
PID 2376 wrote to memory of 1656	2376	SearchIndexer.exe	50
PID 2376 wrote to memory of 932	2376	SearchIndexer.exe	51
PID 2376 wrote to memory of 932	2376	SearchIndexer.exe	51
PID 2376 wrote to memory of 932	2376	SearchIndexer.exe	51
PID 2376 wrote to memory of 612	2376	SearchIndexer.exe	52
PID 2376 wrote to memory of 612	2376	SearchIndexer.exe	52
PID 2376 wrote to memory of 612	2376	SearchIndexer.exe	52
PID 2376 wrote to memory of 560	2376	SearchIndexer.exe	53
PID 2376 wrote to memory of 560	2376	SearchIndexer.exe	53
PID 2376 wrote to memory of 560	2376	SearchIndexer.exe	53
PID 2376 wrote to memory of 1760	2376	SearchIndexer.exe	56
PID 2376 wrote to memory of 1760	2376	SearchIndexer.exe	56
PID 2376 wrote to memory of 1760	2376	SearchIndexer.exe	56
PID 2376 wrote to memory of 2172	2376	SearchIndexer.exe	57
PID 2376 wrote to memory of 2172	2376	SearchIndexer.exe	57
PID 2376 wrote to memory of 2172	2376	SearchIndexer.exe	57
PID 2376 wrote to memory of 1048	2376	SearchIndexer.exe	58
PID 2376 wrote to memory of 1048	2376	SearchIndexer.exe	58
PID 2376 wrote to memory of 1048	2376	SearchIndexer.exe	58
PID 2376 wrote to memory of 1136	2376	SearchIndexer.exe	59
PID 2376 wrote to memory of 1136	2376	SearchIndexer.exe	59
PID 2376 wrote to memory of 1136	2376	SearchIndexer.exe	59
PID 2376 wrote to memory of 580	2376	SearchIndexer.exe	60
PID 2376 wrote to memory of 580	2376	SearchIndexer.exe	60
PID 2376 wrote to memory of 580	2376	SearchIndexer.exe	60
PID 2376 wrote to memory of 1172	2376	SearchIndexer.exe	61
PID 2376 wrote to memory of 1172	2376	SearchIndexer.exe	61
PID 2376 wrote to memory of 1172	2376	SearchIndexer.exe	61
PID 2376 wrote to memory of 2100	2376	SearchIndexer.exe	62
PID 2376 wrote to memory of 2100	2376	SearchIndexer.exe	62
PID 2376 wrote to memory of 2100	2376	SearchIndexer.exe	62
PID 2376 wrote to memory of 1548	2376	SearchIndexer.exe	63
PID 2376 wrote to memory of 1548	2376	SearchIndexer.exe	63
PID 2376 wrote to memory of 1548	2376	SearchIndexer.exe	63
PID 2376 wrote to memory of 1724	2376	SearchIndexer.exe	66
PID 2376 wrote to memory of 1724	2376	SearchIndexer.exe	66
PID 2376 wrote to memory of 1724	2376	SearchIndexer.exe	66
PID 2376 wrote to memory of 988	2376	SearchIndexer.exe	68
PID 2376 wrote to memory of 988	2376	SearchIndexer.exe	68
PID 2376 wrote to memory of 988	2376	SearchIndexer.exe	68
PID 2376 wrote to memory of 1920	2376	SearchIndexer.exe	69
PID 2376 wrote to memory of 1920	2376	SearchIndexer.exe	69
PID 2376 wrote to memory of 1920	2376	SearchIndexer.exe	69
PID 2376 wrote to memory of 2324	2376	SearchIndexer.exe	71
PID 2376 wrote to memory of 2324	2376	SearchIndexer.exe	71
PID 2376 wrote to memory of 2324	2376	SearchIndexer.exe	71
PID 2376 wrote to memory of 1888	2376	SearchIndexer.exe	72
PID 2376 wrote to memory of 1888	2376	SearchIndexer.exe	72
PID 2376 wrote to memory of 1888	2376	SearchIndexer.exe	72
PID 2376 wrote to memory of 1900	2376	SearchIndexer.exe	73
PID 2376 wrote to memory of 1900	2376	SearchIndexer.exe	73
PID 2376 wrote to memory of 1900	2376	SearchIndexer.exe	73
PID 2376 wrote to memory of 2040	2376	SearchIndexer.exe	84
PID 2376 wrote to memory of 2040	2376	SearchIndexer.exe	84
PID 2376 wrote to memory of 2040	2376	SearchIndexer.exe	84
PID 2040 wrote to memory of 236	2040	cmd.exe	88
PID 2040 wrote to memory of 236	2040	cmd.exe	88
PID 2040 wrote to memory of 236	2040	cmd.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\SearchIndexer.exe
"C:\Users\Admin\AppData\Local\Temp\SearchIndexer.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Users\Admin\AppData\Local\Temp\3582-490\SearchIndexer.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\SearchIndexer.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1656
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:560
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2172
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1048
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:580
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1172
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1548
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\services.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:988
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Local Settings\explorer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\wininit.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2324
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\3582-490\SearchIndexer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1900
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HblWKWAsB8.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:236
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2464
  - - C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe
      "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Local Settings\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Local Settings\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchIndexerS" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\3582-490\SearchIndexer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchIndexer" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\3582-490\SearchIndexer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchIndexerS" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\3582-490\SearchIndexer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\Users\Admin\AppData\Local\Temp\HblWKWAsB8.bat

Filesize
188B

MD5
c24786d53a55a51bcee7005b5a333a8b

SHA1
97177d74fabfa948a256d0936d35243a65982da3

SHA256
d5fe58003d6adbba5829b81ce0b8962aaab4598d6c6cef54c763e151ccf4294c

SHA512
d991ac22afd98558d31f368f3679658da9fb81bf43c0830813f45e3d00347e60b8d74c4319a56ca0f346c5844cd1dba9cc26eb3d451707c488789f19a87c3a79

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0dbbb787c99bfe8b9f07587cebf2d9b7

SHA1
c82fe00c5a3ee412513b811ca5c4a97fe6456412

SHA256
89f0456eda0f1b49d2ba2305b1d7949329255a67651dd4d6feaf85bab6aa376f

SHA512
dec0f3ca9835413d52440a80ae842a7f6a5de4fc8a14d0813f355880741ac307dfd0b38ab4fe450cdfa85a3103fca28ed2f2fff958e38aeb82b74255afe1eaa0

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\SearchIndexer.exe

Filesize
3.5MB

MD5
3e3fe7663181211e5983da48431ddf33

SHA1
0bea67a96dba0798541ea15426fb0ac38c10ff06

SHA256
cc398c54d30b3c0c1ff1d54f03fb157578346d088c9ce38fc6347698f25fc166

SHA512
80056c508dade773729c239bd0b43d92c9e6d8de513b19776bf28665e37e44d022fd6c5f33ebfa3fe31b9480ce0705e9581d872b8e79703931da459d4f5922a0

Download Submit
memory/1656-160-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/1656-159-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/2376-113-0x000000001AAB0000-0x000000001AAC2000-memory.dmp

Filesize
72KB

Download
memory/2376-121-0x000000001B080000-0x000000001B0DA000-memory.dmp

Filesize
360KB

Download
memory/2376-95-0x0000000000590000-0x00000000005AC000-memory.dmp

Filesize
112KB

Download
memory/2376-97-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/2376-99-0x0000000000A50000-0x0000000000A68000-memory.dmp

Filesize
96KB

Download
memory/2376-101-0x0000000000570000-0x0000000000580000-memory.dmp

Filesize
64KB

Download
memory/2376-103-0x0000000000580000-0x0000000000590000-memory.dmp

Filesize
64KB

Download
memory/2376-105-0x0000000000A70000-0x0000000000A7E000-memory.dmp

Filesize
56KB

Download
memory/2376-107-0x0000000000AA0000-0x0000000000AB2000-memory.dmp

Filesize
72KB

Download
memory/2376-109-0x0000000000A80000-0x0000000000A90000-memory.dmp

Filesize
64KB

Download
memory/2376-111-0x000000001AA90000-0x000000001AAA6000-memory.dmp

Filesize
88KB

Download
memory/2376-91-0x00000000002C0000-0x00000000002E6000-memory.dmp

Filesize
152KB

Download
memory/2376-115-0x0000000000A90000-0x0000000000A9E000-memory.dmp

Filesize
56KB

Download
memory/2376-117-0x0000000000AC0000-0x0000000000AD0000-memory.dmp

Filesize
64KB

Download
memory/2376-119-0x0000000000B50000-0x0000000000B60000-memory.dmp

Filesize
64KB

Download
memory/2376-93-0x00000000002A0000-0x00000000002AE000-memory.dmp

Filesize
56KB

Download
memory/2376-123-0x0000000000BE0000-0x0000000000BEE000-memory.dmp

Filesize
56KB

Download
memory/2376-125-0x0000000000BF0000-0x0000000000C00000-memory.dmp

Filesize
64KB

Download
memory/2376-127-0x00000000011E0000-0x00000000011EE000-memory.dmp

Filesize
56KB

Download
memory/2376-129-0x000000001AAF0000-0x000000001AB08000-memory.dmp

Filesize
96KB

Download
memory/2376-131-0x000000001AAD0000-0x000000001AADC000-memory.dmp

Filesize
48KB

Download
memory/2376-133-0x000000001B0E0000-0x000000001B12E000-memory.dmp

Filesize
312KB

Download
memory/2376-48-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2376-47-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2376-15-0x00000000011F0000-0x000000000157E000-memory.dmp

Filesize
3.6MB

Download
memory/2376-164-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2376-14-0x000007FEF55A3000-0x000007FEF55A4000-memory.dmp

Filesize
4KB

Download
memory/2420-238-0x0000000001090000-0x000000000141E000-memory.dmp

Filesize
3.6MB

Download
memory/3036-233-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3036-235-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download