dcrat | c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c

Analysis

max time kernel
119s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-01-2025 03:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
Size

811KB
MD5

2e4246ce82069e5e1f389e556634d683
SHA1

2beb8cbe24d8775df79abaeb38fae72e96719d08
SHA256

c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c
SHA512

db52a5460d82bd1d8a250b2de68e3f0b55e7dbb044ccaf034484782cc2a7bc8e5c546954d3b6587b65be63181bf5f8c0603619d8438fb1c14744438fe78e66a8
SSDEEP

12288:kKIIhtQY47i/eIFdRgbE1ooBQdpW3Ari4VVyZC0+1cXOoxPRq/6:kCaY4gFdRgbiooBQd3iE0n/xa6

Score

10^/10

dcrat execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\services.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\audiodg.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dwm.exe\""	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\services.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\audiodg.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\fr-FR\\lsm.exe\""	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\services.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\audiodg.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\fr-FR\\lsm.exe\", \"C:\\Users\\Default\\Music\\csrss.exe\""	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\services.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\audiodg.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\fr-FR\\lsm.exe\", \"C:\\Users\\Default\\Music\\csrss.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe\""	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\services.exe\""	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\services.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\audiodg.exe\""	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	1532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	1532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	1532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	1532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	1532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	1532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	1532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	1532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	1532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	1532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	1532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	1532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	1532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	1532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	1532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	1532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	1532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	1532	schtasks.exe	30

DCRat payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2716-1-0x0000000000C60000-0x0000000000D32000-memory.dmp	family_dcrat_v2
behavioral1/files/0x0005000000019647-27.dat	family_dcrat_v2
behavioral1/memory/1676-80-0x0000000000A10000-0x0000000000AE2000-memory.dmp	family_dcrat_v2

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2556	powershell.exe
2676	powershell.exe
2228	powershell.exe
2324	powershell.exe
2336	powershell.exe
2392	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1676	audiodg.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe\""	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe\""	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\audiodg.exe\""	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\audiodg.exe\""	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dwm.exe\""	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\fr-FR\\lsm.exe\""	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\fr-FR\\lsm.exe\""	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\services.exe\""	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\services.exe\""	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dwm.exe\""	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default\\Music\\csrss.exe\""	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default\\Music\\csrss.exe\""	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCB2D5268742744A79A6EB4B3B538DB67.TMP	csc.exe
File created	\??\c:\Windows\System32\byyuy-.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\lsm.exe	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\101b941d020240	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1748	schtasks.exe
1752	schtasks.exe
1244	schtasks.exe
2880	schtasks.exe
2912	schtasks.exe
2624	schtasks.exe
2396	schtasks.exe
1584	schtasks.exe
2472	schtasks.exe
2064	schtasks.exe
3004	schtasks.exe
2744	schtasks.exe
2148	schtasks.exe
2960	schtasks.exe
576	schtasks.exe
2864	schtasks.exe
1996	schtasks.exe
1724	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	1676	audiodg.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 696	2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe	34
PID 2716 wrote to memory of 696	2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe	34
PID 2716 wrote to memory of 696	2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe	34
PID 696 wrote to memory of 1308	696	csc.exe	36
PID 696 wrote to memory of 1308	696	csc.exe	36
PID 696 wrote to memory of 1308	696	csc.exe	36
PID 2716 wrote to memory of 2556	2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe	52
PID 2716 wrote to memory of 2556	2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe	52
PID 2716 wrote to memory of 2556	2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe	52
PID 2716 wrote to memory of 2676	2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe	53
PID 2716 wrote to memory of 2676	2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe	53
PID 2716 wrote to memory of 2676	2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe	53
PID 2716 wrote to memory of 2392	2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe	55
PID 2716 wrote to memory of 2392	2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe	55
PID 2716 wrote to memory of 2392	2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe	55
PID 2716 wrote to memory of 2336	2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe	57
PID 2716 wrote to memory of 2336	2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe	57
PID 2716 wrote to memory of 2336	2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe	57
PID 2716 wrote to memory of 2228	2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe	58
PID 2716 wrote to memory of 2228	2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe	58
PID 2716 wrote to memory of 2228	2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe	58
PID 2716 wrote to memory of 2324	2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe	59
PID 2716 wrote to memory of 2324	2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe	59
PID 2716 wrote to memory of 2324	2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe	59
PID 2716 wrote to memory of 1932	2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe	63
PID 2716 wrote to memory of 1932	2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe	63
PID 2716 wrote to memory of 1932	2716	c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe	63
PID 1932 wrote to memory of 376	1932	cmd.exe	66
PID 1932 wrote to memory of 376	1932	cmd.exe	66
PID 1932 wrote to memory of 376	1932	cmd.exe	66
PID 1932 wrote to memory of 2316	1932	cmd.exe	67
PID 1932 wrote to memory of 2316	1932	cmd.exe	67
PID 1932 wrote to memory of 2316	1932	cmd.exe	67
PID 1932 wrote to memory of 1676	1932	cmd.exe	68
PID 1932 wrote to memory of 1676	1932	cmd.exe	68
PID 1932 wrote to memory of 1676	1932	cmd.exe	68

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe
"C:\Users\Admin\AppData\Local\Temp\c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x102aq43\x102aq43.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:696
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7EB1.tmp" "c:\Windows\System32\CSCB2D5268742744A79A6EB4B3B538DB67.TMP"
    3⤵
    PID:1308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Music\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2324
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UIinY3cdVO.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:376
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2316
- - C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe
    "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Music\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Music\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Music\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9cc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9cc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe

Filesize
811KB

MD5
2e4246ce82069e5e1f389e556634d683

SHA1
2beb8cbe24d8775df79abaeb38fae72e96719d08

SHA256
c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c

SHA512
db52a5460d82bd1d8a250b2de68e3f0b55e7dbb044ccaf034484782cc2a7bc8e5c546954d3b6587b65be63181bf5f8c0603619d8438fb1c14744438fe78e66a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7EB1.tmp

Filesize
1KB

MD5
d720964e135671b7b909738c3337e390

SHA1
395a780aa098b46d844d3e5ad0376c0266f2f5fa

SHA256
afa953fce60d642d37d9c23ec5e4d305234956bb955f2f33fe013130e29bd06a

SHA512
a85cc9e81596397d1e54a6d2f21b64df70335c3f83a42365e4f5982b19ee64513b52a0fbe4a25725b44217e65cd38f9b80e260d83592a070a038e956a6c3c036

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIinY3cdVO.bat

Filesize
236B

MD5
de5b8cd8a46a071f1c8fed9567bf66e8

SHA1
b7bcac759179068efcc21f8de63205c401f56e0a

SHA256
7fe63fc8bd980a8f2fec4ed6b46cb2c5a1bfc382b21eab08aca11303285a4039

SHA512
2b4be3be0a1b5c053c719f588d07173c4ed0b7e6dc8a0f4e0583445a1fbcfd92f8007f85482c0e9daf54887145141d84430c068bc8c9605b7d6e2eaadb1c8354

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6d5165e4142f1bab9df54c046ac39c1a

SHA1
03dce067a6858beb911c06847cc2b8c7e0ecc94e

SHA256
919907a7c8564d9873d02909d0d7fddb39d141a1f715f1883c9e28cbbc019bc6

SHA512
01126a1b0d2388dd2dc4c4a92d1dac2ee602e6bb2a294c3d3aafe74c07757e0d8011b8d1f24b91007a18b792782ffd4eaee8c2beb1db5add9d476e5a4e8ba29f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\x102aq43\x102aq43.0.cs

Filesize
393B

MD5
e31dbc5d9c759af28f331fbdb2df8b47

SHA1
5305d4bf0908307954366af9c8590578a39b368c

SHA256
b7f08a66071bc3cf04c680ae02e7d7f4229c21fe1f112d44870fbcb1f96c92c1

SHA512
959dda21bb42cfae64aedb09e8a1ae608252f086669ed023629d94c1a6df4160bae74f17401391b0316c67ffbfd194fc2e388c74cd3594c424fd8efdd573adfc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\x102aq43\x102aq43.cmdline

Filesize
235B

MD5
459866aeb6dbd571a235a48d6ccd9d0d

SHA1
a4211630383e2619e6003c754d4474143946aff1

SHA256
3325a5c50386044c85e6b5e41ae63036cdef34a9ea3c7d834e3e178ebcc22f0c

SHA512
504c46aa71a6997d4490b31a4b1c317d9637fbdd477ebd9bac12a393bb715cebd01d773238d118bb921c436056221a472cce44201be9553f04f1cad26e170913

Download Submit
\??\c:\Windows\System32\CSCB2D5268742744A79A6EB4B3B538DB67.TMP

Filesize
1KB

MD5
078586b266e519b5c113064d7a0bf45c

SHA1
a9395c0ef35add5c75591ebb94c85c1f33f408bf

SHA256
ccf292ff9f142b204ad4f4481a044ba8f9ab274305dcb604bf0b8ae91819ab1e

SHA512
5b8eb6aad62657309088c4668d633c2aa6324d4824ec32c3c5e133df0a5493a4342c980e077ba565f3aab29c58f95c8db7195415a1e554384405c1457730f959

Download Submit
memory/1676-80-0x0000000000A10000-0x0000000000AE2000-memory.dmp

Filesize
840KB

Download
memory/2336-72-0x00000000027F0000-0x00000000027F8000-memory.dmp

Filesize
32KB

Download
memory/2336-61-0x000000001B510000-0x000000001B7F2000-memory.dmp

Filesize
2.9MB

Download
memory/2716-8-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

Filesize
9.9MB

Download
memory/2716-0-0x000007FEF6343000-0x000007FEF6344000-memory.dmp

Filesize
4KB

Download
memory/2716-15-0x00000000004A0000-0x00000000004AC000-memory.dmp

Filesize
48KB

Download
memory/2716-17-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

Filesize
9.9MB

Download
memory/2716-10-0x00000000004D0000-0x00000000004E8000-memory.dmp

Filesize
96KB

Download
memory/2716-12-0x0000000000490000-0x000000000049E000-memory.dmp

Filesize
56KB

Download
memory/2716-13-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

Filesize
9.9MB

Download
memory/2716-16-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

Filesize
9.9MB

Download
memory/2716-6-0x00000000004B0000-0x00000000004CC000-memory.dmp

Filesize
112KB

Download
memory/2716-59-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

Filesize
9.9MB

Download
memory/2716-7-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

Filesize
9.9MB

Download
memory/2716-4-0x0000000000480000-0x000000000048E000-memory.dmp

Filesize
56KB

Download
memory/2716-2-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

Filesize
9.9MB

Download
memory/2716-1-0x0000000000C60000-0x0000000000D32000-memory.dmp

Filesize
840KB

Download