dcrat | 18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919

Analysis

max time kernel
118s
max time network
151s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
23-01-2025 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
Size

1.8MB
MD5

e00bc016a35cf87fb0db9dc0d6c3b8b8
SHA1

0281222335121e2e85a88a754c8451679084f8c0
SHA256

18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919
SHA512

a0a3281ce3dcacdd2a5c2848e514a1c54dca44eab3b06be68c1fd175a082742a06580af1158f79102c8229249911442aea7afc36ed6ca4e944d4594db2ae41f7
SSDEEP

24576:FcVMaOQA6hGM5SXggIREn1a0BnuvmgwVhlMv5mXwVzO5PEBYrbZH02KhAbB5YakG:F8zAqHRE1nnu+NYoAV6mobRZKyrY

Score

10^/10

dcrat discovery execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\Idle.exe\""	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\Idle.exe\", \"C:\\Users\\Default User\\sppsvc.exe\""	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\Idle.exe\", \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\csrss.exe\""	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\Idle.exe\", \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\dllhost.exe\""	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\Idle.exe\", \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\dllhost.exe\", \"C:\\Users\\Admin\\Local Settings\\csrss.exe\""	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\Idle.exe\", \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\dllhost.exe\", \"C:\\Users\\Admin\\Local Settings\\csrss.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe\""	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2944	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2944	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2944	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	2944	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2944	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2944	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2944	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	2944	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	2944	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2944	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2944	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2944	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	2944	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2944	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2944	schtasks.exe	30

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2296	powershell.exe
2072	powershell.exe
2256	powershell.exe
2208	powershell.exe
2260	powershell.exe
2640	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2388	Idle.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\Idle.exe\""	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default User\\sppsvc.exe\""	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\csrss.exe\""	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\csrss.exe\""	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Admin\\Local Settings\\csrss.exe\""	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe\""	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\Idle.exe\""	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default User\\sppsvc.exe\""	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Microsoft.NET\\dllhost.exe\""	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Microsoft.NET\\dllhost.exe\""	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Admin\\Local Settings\\csrss.exe\""	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe\""	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCBD28FECABCD943699E7C3DBBDE7B2F6.TMP	csc.exe
File created	\??\c:\Windows\System32\_f1q_j.exe	csc.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\dllhost.exe	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
File created	C:\Program Files (x86)\Microsoft.NET\5940a34987c991	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\csrss.exe	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\886983d96e3d3e	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\Idle.exe	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6ccacd8608530f	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1372	schtasks.exe
1936	schtasks.exe
2868	schtasks.exe
2156	schtasks.exe
2480	schtasks.exe
3056	schtasks.exe
2064	schtasks.exe
2676	schtasks.exe
2708	schtasks.exe
1940	schtasks.exe
1432	schtasks.exe
792	schtasks.exe
2108	schtasks.exe
1224	schtasks.exe
2952	schtasks.exe
2760	schtasks.exe
2736	schtasks.exe
3064	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	2388	Idle.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2712	2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe	34
PID 2804 wrote to memory of 2712	2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe	34
PID 2804 wrote to memory of 2712	2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe	34
PID 2712 wrote to memory of 2512	2712	csc.exe	36
PID 2712 wrote to memory of 2512	2712	csc.exe	36
PID 2712 wrote to memory of 2512	2712	csc.exe	36
PID 2804 wrote to memory of 2296	2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe	52
PID 2804 wrote to memory of 2296	2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe	52
PID 2804 wrote to memory of 2296	2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe	52
PID 2804 wrote to memory of 2640	2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe	53
PID 2804 wrote to memory of 2640	2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe	53
PID 2804 wrote to memory of 2640	2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe	53
PID 2804 wrote to memory of 2072	2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe	54
PID 2804 wrote to memory of 2072	2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe	54
PID 2804 wrote to memory of 2072	2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe	54
PID 2804 wrote to memory of 2260	2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe	57
PID 2804 wrote to memory of 2260	2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe	57
PID 2804 wrote to memory of 2260	2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe	57
PID 2804 wrote to memory of 2208	2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe	58
PID 2804 wrote to memory of 2208	2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe	58
PID 2804 wrote to memory of 2208	2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe	58
PID 2804 wrote to memory of 2256	2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe	60
PID 2804 wrote to memory of 2256	2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe	60
PID 2804 wrote to memory of 2256	2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe	60
PID 2804 wrote to memory of 716	2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe	64
PID 2804 wrote to memory of 716	2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe	64
PID 2804 wrote to memory of 716	2804	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe	64
PID 716 wrote to memory of 1572	716	cmd.exe	66
PID 716 wrote to memory of 1572	716	cmd.exe	66
PID 716 wrote to memory of 1572	716	cmd.exe	66
PID 716 wrote to memory of 1984	716	cmd.exe	67
PID 716 wrote to memory of 1984	716	cmd.exe	67
PID 716 wrote to memory of 1984	716	cmd.exe	67
PID 716 wrote to memory of 2388	716	cmd.exe	68
PID 716 wrote to memory of 2388	716	cmd.exe	68
PID 716 wrote to memory of 2388	716	cmd.exe	68

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
"C:\Users\Admin\AppData\Local\Temp\18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\luflewin\luflewin.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES42CA.tmp" "c:\Windows\System32\CSCBD28FECABCD943699E7C3DBBDE7B2F6.TMP"
    3⤵
    PID:2512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Local Settings\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2256
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cQ0ueRy6A7.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:716
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1572
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1984
- - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\Idle.exe
    "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\Idle.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\Idle.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Local Settings\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Local Settings\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c9191" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c9191" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\Idle.exe

Filesize
1.8MB

MD5
e00bc016a35cf87fb0db9dc0d6c3b8b8

SHA1
0281222335121e2e85a88a754c8451679084f8c0

SHA256
18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919

SHA512
a0a3281ce3dcacdd2a5c2848e514a1c54dca44eab3b06be68c1fd175a082742a06580af1158f79102c8229249911442aea7afc36ed6ca4e944d4594db2ae41f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES42CA.tmp

Filesize
1KB

MD5
31aa52a0ea0f40e7dab492f31f255b68

SHA1
fbdddeb681f79826d4205904814830a1eeec22dc

SHA256
c501cf3d581e7b0814db3a3b4996ea6058887cde4014e528e72bbcebc6eb7845

SHA512
8cc4cfe5fac74b756940f7195c25fde1ebd96bbd85a48ec9d8b3a78f5799cc8d5ba8b39e4edebe8be1cf4d94f6934c01589bf36aff6f179684d414b70352fd47

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQ0ueRy6A7.bat

Filesize
257B

MD5
3f4bfe7a7a6f262654655c6e8ece751d

SHA1
428dc0b6870da643109a0e7c04d333f1d9eae4e9

SHA256
be016c8a8ab837ce82793ac7deccd9b772ce02920ecec072803d922eafa3c186

SHA512
ecf83596295956b1728131c3a986fa3576b3cf293142bd99f6009cfc30caa2b777442b85dc3c52f75dcaa8691d8888236f819761f77be7b5e5b5b07c0fa72701

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a659a9706a1810b7a6a89bcd2ec7ca47

SHA1
51d3299ed83e1ba990d4d28e8a9698ca8de31dc5

SHA256
ab7c9abd48ca07176835cb70f54cd86934bce691f190292b05a8528c1f4c7a19

SHA512
eb374176ac3a3f2b57139c4351624705b6b75c61412068915f04b0b355c00e380f6de79199afb5f08a70d6fa91dccf5e8d83fc1f8cc7b074d75fd4497721cfb4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\luflewin\luflewin.0.cs

Filesize
413B

MD5
a6194d2b392931af8506d53ddfda3087

SHA1
f9ca5ebfc65fafc77262a6d11c8d0f64453db4f1

SHA256
06f6c96dee8826ec43383da3050b69d89d2d12a32bdedfbc6101bb3d3295e2f2

SHA512
9229129936b0b2a95991b1096d8f7926890e1fb92367cdb36a5b7a95e0d8d0832eb53e915ff7638648729650fec62ad8522a7f5191eb9db7f39b55c9f14d9c0e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\luflewin\luflewin.cmdline

Filesize
235B

MD5
ccddca565a13cd7dbdb3d20578d638fc

SHA1
42b4250aee3925b919916550e4ed9db426aa2946

SHA256
778b2501f6c13adf2aa7af3b8a01407b80a1321596f642602b0b210f8ed4d13c

SHA512
2bd2c832f30884ee0a2696f03636929297a01633582ae370c5f942be6edd2858e50b785016c4a21fb27b0646371cbad461e0ca9b7bb93227a3f7f9ee3fc151b5

Download Submit
\??\c:\Windows\System32\CSCBD28FECABCD943699E7C3DBBDE7B2F6.TMP

Filesize
1KB

MD5
fccbcfaf29fdccaabada579f7aaf3ae7

SHA1
f9b179b6aab6b96908d89b35aab3f503478a956d

SHA256
e70bc8ad14a70d490fe92ed86e79c40fc133a64428a2781e14514b16d83a9b02

SHA512
ac047b4ba060e72e224c1afdebbdafecbfd705a67cb8f0cd5c82bf7980c2baa23bdb5bf5d821836bc0c426069a61d8e112b45239887d2d81b8a6d4fa839c1e10

Download Submit
memory/2388-80-0x0000000001060000-0x000000000123A000-memory.dmp

Filesize
1.9MB

Download
memory/2640-76-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/2640-77-0x0000000002990000-0x0000000002998000-memory.dmp

Filesize
32KB

Download
memory/2804-56-0x000007FEF6440000-0x000007FEF6E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2804-0-0x000007FEF6443000-0x000007FEF6444000-memory.dmp

Filesize
4KB

Download
memory/2804-11-0x0000000000640000-0x0000000000658000-memory.dmp

Filesize
96KB

Download
memory/2804-14-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2804-12-0x000007FEF6440000-0x000007FEF6E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2804-9-0x000007FEF6440000-0x000007FEF6E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2804-28-0x000007FEF6440000-0x000007FEF6E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2804-15-0x000007FEF6440000-0x000007FEF6E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2804-6-0x0000000000460000-0x000000000046E000-memory.dmp

Filesize
56KB

Download
memory/2804-17-0x000007FEF6440000-0x000007FEF6E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2804-4-0x000007FEF6440000-0x000007FEF6E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2804-3-0x000007FEF6440000-0x000007FEF6E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2804-2-0x000007FEF6440000-0x000007FEF6E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2804-8-0x0000000000620000-0x000000000063C000-memory.dmp

Filesize
112KB

Download
memory/2804-1-0x00000000000A0000-0x000000000027A000-memory.dmp

Filesize
1.9MB

Download