dcrat | a07573c22a19a40f9a01422a93bd1c125909857895e9511d59949ba0e5ceb3fe

Analysis

max time kernel
118s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-01-2025 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a07573c22a19a40f9a01422a93bd1c125909857895e95.exe
Size

2.7MB
MD5

c462d6a698a68d09fd332986ab175aab
SHA1

796cc4391791a9c135b32d3ae24c83b5f6f759d8
SHA256

a07573c22a19a40f9a01422a93bd1c125909857895e9511d59949ba0e5ceb3fe
SHA512

328dc1e5a620929de513ce5e496c905ace7856af3eb95f9619f0a5e4748f3375220a4327a0807dea30b94e2dc43983c5e5cc21fb45d8522c7dc18ed778a5ba9b
SSDEEP

49152:UB8QdyqETGWTi91dhvdefW1qI8i5ZMFzp2XZXyoW5AJo:+l8GWWzdVdeu1q/iLMFcRyfAJo

Score

10^/10

dcrat discovery execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\WmiPrvSE.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\audiodg.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Download\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\106.0.5249.119\\csrss.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\WmiPrvSE.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\audiodg.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Download\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\106.0.5249.119\\csrss.exe\", \"C:\\refmonitor\\SurrogateBrowserruntimeSvc.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\dwm.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\winlogon.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\WmiPrvSE.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\WmiPrvSE.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\audiodg.exe\""	SurrogateBrowserruntimeSvc.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2740	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2740	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2740	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2740	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	648	2740	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2740	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2740	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2740	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2740	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2740	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2740	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2740	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	2740	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	2740	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2740	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	2740	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2740	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2740	schtasks.exe	34

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1624	powershell.exe
1152	powershell.exe
444	powershell.exe
2580	powershell.exe
1820	powershell.exe
3000	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
1948	SurrogateBrowserruntimeSvc.exe
2524	WmiPrvSE.exe

Loads dropped DLL 2 IoCs

pid	Process
2892	cmd.exe
2892	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\WmiPrvSE.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\Mozilla Firefox\\browser\\features\\audiodg.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Google\\Update\\Download\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\106.0.5249.119\\csrss.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\dwm.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\winlogon.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\WmiPrvSE.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Google\\Update\\Download\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\106.0.5249.119\\csrss.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\SurrogateBrowserruntimeSvc = "\"C:\\refmonitor\\SurrogateBrowserruntimeSvc.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SurrogateBrowserruntimeSvc = "\"C:\\refmonitor\\SurrogateBrowserruntimeSvc.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\dwm.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\winlogon.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\Mozilla Firefox\\browser\\features\\audiodg.exe\""	SurrogateBrowserruntimeSvc.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC78E0A2E780C54261A4CFDEBA8D7BAFB.TMP	csc.exe
File created	\??\c:\Windows\System32\3kmwe8.exe	csc.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe	SurrogateBrowserruntimeSvc.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\42af1c969fbb7b	SurrogateBrowserruntimeSvc.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\WmiPrvSE.exe	SurrogateBrowserruntimeSvc.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\24dbde2999530e	SurrogateBrowserruntimeSvc.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\csrss.exe	SurrogateBrowserruntimeSvc.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\csrss.exe	SurrogateBrowserruntimeSvc.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\886983d96e3d3e	SurrogateBrowserruntimeSvc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a07573c22a19a40f9a01422a93bd1c125909857895e95.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1768	schtasks.exe
2128	schtasks.exe
1508	schtasks.exe
2656	schtasks.exe
2724	schtasks.exe
2924	schtasks.exe
700	schtasks.exe
1976	schtasks.exe
648	schtasks.exe
596	schtasks.exe
1464	schtasks.exe
2616	schtasks.exe
1988	schtasks.exe
3028	schtasks.exe
1656	schtasks.exe
1852	schtasks.exe
2188	schtasks.exe
2412	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe
1948	SurrogateBrowserruntimeSvc.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1948	SurrogateBrowserruntimeSvc.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	444	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	2524	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 1788	2116	a07573c22a19a40f9a01422a93bd1c125909857895e95.exe	30
PID 2116 wrote to memory of 1788	2116	a07573c22a19a40f9a01422a93bd1c125909857895e95.exe	30
PID 2116 wrote to memory of 1788	2116	a07573c22a19a40f9a01422a93bd1c125909857895e95.exe	30
PID 2116 wrote to memory of 1788	2116	a07573c22a19a40f9a01422a93bd1c125909857895e95.exe	30
PID 1788 wrote to memory of 2892	1788	WScript.exe	31
PID 1788 wrote to memory of 2892	1788	WScript.exe	31
PID 1788 wrote to memory of 2892	1788	WScript.exe	31
PID 1788 wrote to memory of 2892	1788	WScript.exe	31
PID 2892 wrote to memory of 1948	2892	cmd.exe	33
PID 2892 wrote to memory of 1948	2892	cmd.exe	33
PID 2892 wrote to memory of 1948	2892	cmd.exe	33
PID 2892 wrote to memory of 1948	2892	cmd.exe	33
PID 1948 wrote to memory of 3068	1948	SurrogateBrowserruntimeSvc.exe	38
PID 1948 wrote to memory of 3068	1948	SurrogateBrowserruntimeSvc.exe	38
PID 1948 wrote to memory of 3068	1948	SurrogateBrowserruntimeSvc.exe	38
PID 3068 wrote to memory of 920	3068	csc.exe	40
PID 3068 wrote to memory of 920	3068	csc.exe	40
PID 3068 wrote to memory of 920	3068	csc.exe	40
PID 1948 wrote to memory of 444	1948	SurrogateBrowserruntimeSvc.exe	56
PID 1948 wrote to memory of 444	1948	SurrogateBrowserruntimeSvc.exe	56
PID 1948 wrote to memory of 444	1948	SurrogateBrowserruntimeSvc.exe	56
PID 1948 wrote to memory of 1152	1948	SurrogateBrowserruntimeSvc.exe	57
PID 1948 wrote to memory of 1152	1948	SurrogateBrowserruntimeSvc.exe	57
PID 1948 wrote to memory of 1152	1948	SurrogateBrowserruntimeSvc.exe	57
PID 1948 wrote to memory of 1624	1948	SurrogateBrowserruntimeSvc.exe	58
PID 1948 wrote to memory of 1624	1948	SurrogateBrowserruntimeSvc.exe	58
PID 1948 wrote to memory of 1624	1948	SurrogateBrowserruntimeSvc.exe	58
PID 1948 wrote to memory of 3000	1948	SurrogateBrowserruntimeSvc.exe	60
PID 1948 wrote to memory of 3000	1948	SurrogateBrowserruntimeSvc.exe	60
PID 1948 wrote to memory of 3000	1948	SurrogateBrowserruntimeSvc.exe	60
PID 1948 wrote to memory of 1820	1948	SurrogateBrowserruntimeSvc.exe	61
PID 1948 wrote to memory of 1820	1948	SurrogateBrowserruntimeSvc.exe	61
PID 1948 wrote to memory of 1820	1948	SurrogateBrowserruntimeSvc.exe	61
PID 1948 wrote to memory of 2580	1948	SurrogateBrowserruntimeSvc.exe	62
PID 1948 wrote to memory of 2580	1948	SurrogateBrowserruntimeSvc.exe	62
PID 1948 wrote to memory of 2580	1948	SurrogateBrowserruntimeSvc.exe	62
PID 1948 wrote to memory of 2016	1948	SurrogateBrowserruntimeSvc.exe	68
PID 1948 wrote to memory of 2016	1948	SurrogateBrowserruntimeSvc.exe	68
PID 1948 wrote to memory of 2016	1948	SurrogateBrowserruntimeSvc.exe	68
PID 2016 wrote to memory of 884	2016	cmd.exe	70
PID 2016 wrote to memory of 884	2016	cmd.exe	70
PID 2016 wrote to memory of 884	2016	cmd.exe	70
PID 2016 wrote to memory of 1612	2016	cmd.exe	71
PID 2016 wrote to memory of 1612	2016	cmd.exe	71
PID 2016 wrote to memory of 1612	2016	cmd.exe	71
PID 2016 wrote to memory of 2524	2016	cmd.exe	73
PID 2016 wrote to memory of 2524	2016	cmd.exe	73
PID 2016 wrote to memory of 2524	2016	cmd.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a07573c22a19a40f9a01422a93bd1c125909857895e95.exe
"C:\Users\Admin\AppData\Local\Temp\a07573c22a19a40f9a01422a93bd1c125909857895e95.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\refmonitor\IpbZ1VvTcHrONcTKJANl9zG.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\refmonitor\L8eiZJU31CCxC9L.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\refmonitor\SurrogateBrowserruntimeSvc.exe
      "C:\refmonitor/SurrogateBrowserruntimeSvc.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1948
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dz52vkde\dz52vkde.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3068
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC3DB.tmp" "c:\Windows\System32\CSC78E0A2E780C54261A4CFDEBA8D7BAFB.TMP"
        6⤵
        
        PID:920
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1152
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\fr-FR\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\refmonitor\SurrogateBrowserruntimeSvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\56nMk5nTE6.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2016
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:884
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1612
      - C:\Program Files (x86)\Windows Defender\fr-FR\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Windows Defender\fr-FR\WmiPrvSE.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SurrogateBrowserruntimeSvcS" /sc MINUTE /mo 11 /tr "'C:\refmonitor\SurrogateBrowserruntimeSvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SurrogateBrowserruntimeSvc" /sc ONLOGON /tr "'C:\refmonitor\SurrogateBrowserruntimeSvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SurrogateBrowserruntimeSvcS" /sc MINUTE /mo 11 /tr "'C:\refmonitor\SurrogateBrowserruntimeSvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\56nMk5nTE6.bat

Filesize
234B

MD5
f7da45dd93fc883b30d382820e13050c

SHA1
7ff916fa5d95180d039e9f5e988c397807595b76

SHA256
3a364e6879da1f59e6711ecf0bdce109b5a1f28577e366d43a79c60837ee385c

SHA512
e69820f96667a6dd95ac1ddb4ac5b0233dffbf4d9fe8f548803536512d3e0212902145ff82bb8cbb2ad86ff7d4003c78198752e2df16fabb01203a51f3451c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC3DB.tmp

Filesize
1KB

MD5
54a82f0a607d8a0a21065637106168ba

SHA1
f7adf05f234dca9f78ebd1d41d072ae68a62ee28

SHA256
01052fe653d40efd9c76d1f25c153ce05b2ddf4614496b91a559f616efa3324f

SHA512
614b087db72aac0f7d03ff2132ffa25bcf0496775665c4daf55003bd39a7134019e0033168669a62a7eadaaaa61e723d59afb27acf6144eccc875d5def4df7db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
78b9b1e2944f1b3c89d069bc691ce761

SHA1
7fe80ed42b5f3a82fb5c537809ea477b68bb69b7

SHA256
b6908ee5043505b2f875db37f25392231ee3656cc57451dce582ebce5dcb507f

SHA512
146cdd1906b71a3a814c1381d61552302be42d276e578e25d26e33cd67202e6183f845725e1e82414eaba18d6586058281fbd5f170513850bc9f75e8a80ab152

Download Submit
C:\refmonitor\IpbZ1VvTcHrONcTKJANl9zG.vbe

Filesize
203B

MD5
7ab2590560976f9db5936c16c769e33e

SHA1
879f7a609f21c2db8f985a2be7328708225ecaac

SHA256
582d8eef207124fa14ea2bee1733ac8eaada70a9dc2e5a26481136deaff10fde

SHA512
2cae748998d21e4e217b652c5cef6a3ba206cf845bba9d85507fea99ee334093318b248680819b36745c1ba586e0d4115a225ef8bc17211d61c2314fbcdd92f4

Download Submit
C:\refmonitor\L8eiZJU31CCxC9L.bat

Filesize
85B

MD5
550369819d3a809d6b71c88c2ac730dd

SHA1
dc2349d2365842b97c43a20922a500bc5402c484

SHA256
359617de9c982df1d89e52bd9be840bb6618850d46380d4183ada239c8435e32

SHA512
aac7ccd06cf0f49d651d1fbc276031bb1b431feb260098cbb69fb54c3993e15e8f6f80ff8c0031048f34e33276800286f2943535ca34f33c0944380a3b960921

Download Submit
C:\refmonitor\SurrogateBrowserruntimeSvc.exe

Filesize
2.4MB

MD5
13d5df2ab2ead9bc68445f92b137eda6

SHA1
0411a2f0bae6108252130feb85e20cc1cf6b5d07

SHA256
80b56ea271aee36a7631af049b4a07141163f8d79ef220af176dc661acad8f54

SHA512
b58d4ec4689de7d0229c56161163e2174004dd217c2a3d33985400d8907506a36b0f769d6ba196327e00577879e7e0c8442ff6e29cbae4110c231ededde45b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dz52vkde\dz52vkde.0.cs

Filesize
402B

MD5
ccc2541dd1d567b316efbb5664bd0353

SHA1
ebfed8f88cac0500673af5422be51b9ec886eddf

SHA256
a6fda4765e1a6d35d323d82813d4411dbffc3217032f87b31a8e21af99d534ee

SHA512
e45a5db11e6f3fdb933953a45cca43920771fcc61b1e0412492395da00a67c436c8a2730ee000c54b8a57888d6262026f001688170f294df4e3dbca4aa569bfc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dz52vkde\dz52vkde.cmdline

Filesize
235B

MD5
7b0469c6a3bc2b734241fff48a2f383d

SHA1
739de91fe8241d55c3c22b49c5604a379622436d

SHA256
11f67a70ef77c7b6a97c77caab90eacb2196bdda183ee94507e4285bed695670

SHA512
89af88e35fa8b699209b3df637646d0f1893d5ba20258c22222eff67c93dbd6d3717c47859233bebae927fd8618b7dcc5117a23467bfbdab6e78e622c1b11486

Download Submit
\??\c:\Windows\System32\CSC78E0A2E780C54261A4CFDEBA8D7BAFB.TMP

Filesize
1KB

MD5
8c85ef91c6071d33745325a8fa351c3e

SHA1
e3311ceef28823eec99699cc35be27c94eca52d2

SHA256
8db3e3a5515da1933036688a9b1918cfc3339fc687008c5325461271904b2d41

SHA512
2bb89b07fe46b1c406ed6a560e88cb2b8402b1d61bb71e10887bad661751f64f1e5317fd6c1b301ea4766785b915da31b64e0475cfe36c1f950b32915b5dab7d

Download Submit
memory/444-87-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/1152-77-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/1948-21-0x00000000020B0000-0x00000000020C6000-memory.dmp

Filesize
88KB

Download
memory/1948-17-0x0000000000860000-0x000000000087C000-memory.dmp

Filesize
112KB

Download
memory/1948-19-0x0000000000880000-0x0000000000898000-memory.dmp

Filesize
96KB

Download
memory/1948-25-0x0000000000840000-0x0000000000850000-memory.dmp

Filesize
64KB

Download
memory/1948-29-0x0000000000850000-0x000000000085C000-memory.dmp

Filesize
48KB

Download
memory/1948-27-0x00000000020F0000-0x0000000002108000-memory.dmp

Filesize
96KB

Download
memory/1948-23-0x00000000021C0000-0x000000000221A000-memory.dmp

Filesize
360KB

Download
memory/1948-15-0x0000000000830000-0x000000000083E000-memory.dmp

Filesize
56KB

Download
memory/1948-13-0x00000000008A0000-0x0000000000B12000-memory.dmp

Filesize
2.4MB

Download
memory/2524-91-0x0000000000F50000-0x00000000011C2000-memory.dmp

Filesize
2.4MB

Download