dcrat | 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2

Analysis

max time kernel
59s
max time network
153s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23/01/2025, 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
Size

1.8MB
MD5

d7e7b597ce0c3a87c408c197af695fc4
SHA1

abf13cbcb77d1fe2270b3b7746087419f366748d
SHA256

433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2
SHA512

7cfbf0bd871b9e04e8cd178e8f82052efb108284a279c8e16ea0087e322dfbf00aca117db9cfccb6b6278134edcbce2b8f3b6c050fa4021f6f65f2ccdaf02c91
SSDEEP

24576:fpu2MG9vXL71sCw7sULd3yRsjBp2gltcEA4pUiD7nApwp6t1:Bu2Mw7Y0RsrB5UiD8pw

Score

10^/10

dcrat discovery execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\dllhost.exe\""	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\dllhost.exe\", \"C:\\Users\\All Users\\services.exe\""	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\dllhost.exe\", \"C:\\Users\\All Users\\services.exe\", \"C:\\Windows\\Tasks\\winlogon.exe\""	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\dllhost.exe\", \"C:\\Users\\All Users\\services.exe\", \"C:\\Windows\\Tasks\\winlogon.exe\", \"C:\\Users\\Default\\Saved Games\\csrss.exe\""	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\csrss.exe\""	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	516	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	3048	schtasks.exe	29

DCRat payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/432-1-0x0000000000170000-0x0000000000340000-memory.dmp	family_dcrat_v2
behavioral1/files/0x000500000001950f-52.dat	family_dcrat_v2
behavioral1/memory/2220-100-0x00000000009C0000-0x0000000000B90000-memory.dmp	family_dcrat_v2

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3052	powershell.exe
1020	powershell.exe
1628	powershell.exe
1072	powershell.exe
1272	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2220	services.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\csrss.exe\""	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Microsoft.NET\\dllhost.exe\""	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Microsoft.NET\\dllhost.exe\""	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\All Users\\services.exe\""	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\csrss.exe\""	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\All Users\\services.exe\""	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\Tasks\\winlogon.exe\""	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\Tasks\\winlogon.exe\""	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default\\Saved Games\\csrss.exe\""	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default\\Saved Games\\csrss.exe\""	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCD1654415D934E7ABF7AD9A834969621.TMP	csc.exe
File created	\??\c:\Windows\System32\hi5-9c.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\dllhost.exe	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
File created	C:\Program Files (x86)\Microsoft.NET\5940a34987c991	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\winlogon.exe	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
File created	C:\Windows\Tasks\cc11b995f2a76d	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1728	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1728	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2828	schtasks.exe
2748	schtasks.exe
2396	schtasks.exe
1520	schtasks.exe
516	schtasks.exe
1264	schtasks.exe
1472	schtasks.exe
3012	schtasks.exe
3044	schtasks.exe
1036	schtasks.exe
1524	schtasks.exe
2604	schtasks.exe
2944	schtasks.exe
2704	schtasks.exe
1928	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	1272	powershell.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	2220	services.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 2768	432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe	33
PID 432 wrote to memory of 2768	432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe	33
PID 432 wrote to memory of 2768	432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe	33
PID 2768 wrote to memory of 2296	2768	csc.exe	35
PID 2768 wrote to memory of 2296	2768	csc.exe	35
PID 2768 wrote to memory of 2296	2768	csc.exe	35
PID 432 wrote to memory of 3052	432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe	48
PID 432 wrote to memory of 3052	432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe	48
PID 432 wrote to memory of 3052	432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe	48
PID 432 wrote to memory of 1020	432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe	49
PID 432 wrote to memory of 1020	432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe	49
PID 432 wrote to memory of 1020	432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe	49
PID 432 wrote to memory of 1272	432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe	50
PID 432 wrote to memory of 1272	432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe	50
PID 432 wrote to memory of 1272	432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe	50
PID 432 wrote to memory of 1628	432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe	51
PID 432 wrote to memory of 1628	432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe	51
PID 432 wrote to memory of 1628	432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe	51
PID 432 wrote to memory of 1072	432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe	52
PID 432 wrote to memory of 1072	432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe	52
PID 432 wrote to memory of 1072	432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe	52
PID 432 wrote to memory of 2448	432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe	58
PID 432 wrote to memory of 2448	432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe	58
PID 432 wrote to memory of 2448	432	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe	58
PID 2448 wrote to memory of 2200	2448	cmd.exe	60
PID 2448 wrote to memory of 2200	2448	cmd.exe	60
PID 2448 wrote to memory of 2200	2448	cmd.exe	60
PID 2448 wrote to memory of 1728	2448	cmd.exe	61
PID 2448 wrote to memory of 1728	2448	cmd.exe	61
PID 2448 wrote to memory of 1728	2448	cmd.exe	61
PID 2448 wrote to memory of 2220	2448	cmd.exe	62
PID 2448 wrote to memory of 2220	2448	cmd.exe	62
PID 2448 wrote to memory of 2220	2448	cmd.exe	62

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
"C:\Users\Admin\AppData\Local\Temp\433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5vzjurao\5vzjurao.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES45B7.tmp" "c:\Windows\System32\CSCD1654415D934E7ABF7AD9A834969621.TMP"
    3⤵
    PID:2296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Saved Games\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1072
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XkBnUkZlOu.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2200
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1728
- - C:\Users\All Users\services.exe
    "C:\Users\All Users\services.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\Tasks\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Tasks\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\Tasks\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Saved Games\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Saved Games\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES45B7.tmp

Filesize
1KB

MD5
b2f94712045b7f0e95b371d8bf436ab3

SHA1
c8f7163f4ebb3a22f4ba77b12f8f7145410cd190

SHA256
21a1512e91b2a4ca76473891046659e9148bb67015f0122815a1508d342bc4c8

SHA512
59ab1232d4ce923faa96839b60da4d053d14f31ee4be22dea0dcdb75b5d0a04a9b6d041fbf6e2ffe92743eb46222323edb6ad84b8daaa49238bf0edce8302b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\XkBnUkZlOu.bat

Filesize
159B

MD5
1efa22b2286b02780b9cb20b9e6cba86

SHA1
598efcec3e649f97fcd729fc6be3b9c382dd84f1

SHA256
39955e83f8f069d767ac6638ea6869dafa0899ffe4aa07f15dfd0b77afbd37b2

SHA512
3b2aeb2bb2979ed4436d30fb3e20f62fc9bdfacb86df10b34d3fb5ad37c8279f42430c04f62305f25719dec26e0842507665699d302227170865b75ab08da0af

Download Submit
C:\Users\Admin\AppData\Local\Temp\evDMbgjdSz

Filesize
92KB

MD5
6d9ead954a1d55a4b7b9a23d96bb545e

SHA1
b55a31428681654b9bc4f428fc4c07fa7244760f

SHA256
eab705a4e697fa8c54cdbe7df8d46c679df9878c327a003819bb2bf72d90919c

SHA512
b9422f770aa156c13f63399aae96d750f273a6db7c9177b725660aa236a04ca7c4e3bf64d394de3a1f1ec2ad49b60528023aee37b7c195ed70073c049980a322

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a7fc46f45085567a026b95ae8f5856c8

SHA1
56c113e051df866f4bc575f4d59850bbfb9ac16c

SHA256
813836a3de4998a3e15f9bb7503da29f3488f7b965036dfa025daad0de060a32

SHA512
709c8a2b0d56da2a1bfb80619e030f60f7faf8e90185bf4e8bfcfc84ff19be4b9a411e843c649bcb851e6d96d1b98b1433b34cb700d47954744931bc67b82cef

Download Submit
C:\Users\Default\Saved Games\csrss.exe

Filesize
1.8MB

MD5
d7e7b597ce0c3a87c408c197af695fc4

SHA1
abf13cbcb77d1fe2270b3b7746087419f366748d

SHA256
433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2

SHA512
7cfbf0bd871b9e04e8cd178e8f82052efb108284a279c8e16ea0087e322dfbf00aca117db9cfccb6b6278134edcbce2b8f3b6c050fa4021f6f65f2ccdaf02c91

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5vzjurao\5vzjurao.0.cs

Filesize
409B

MD5
209125e1ef900a0592652d9e0cc6ee46

SHA1
9ceeef4c2b14a5bf13c820eae50294ab3f12bb42

SHA256
317f6d4e2dbe3f6b73cdd138988fd4cbaaaa0722a88eacf8190013a73a16af98

SHA512
3dd60a7c2fb30a8c2d27d5016cb5af71ef9aa37bccc02438767999a2497c168ac78c0c78fa6a15788baf04c2286d1e931e565d34e3bf72dffb9e3d529715f8b0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5vzjurao\5vzjurao.cmdline

Filesize
235B

MD5
0ca00954ef2066eec9c58b863e2e9875

SHA1
82f100856245271685bd60e1ad17b4907b0c9ead

SHA256
6b5c2b6d331f8f89445db9b55786df48d6fb8facece80d84cc334581dcd12012

SHA512
b9310f3d26bdd2711abfabd3e5e420e18ae15029e1db1b3c0894a00fb058f108ee4ee04f687a53de548201f26a71bb76e7e8fbad0e44a4cf85b39f2023172abe

Download Submit
\??\c:\Windows\System32\CSCD1654415D934E7ABF7AD9A834969621.TMP

Filesize
1KB

MD5
60a1ebb8f840aad127346a607d80fc19

SHA1
c8b7e9ad601ac19ab90b3e36f811960e8badf354

SHA256
9d6a9d38b7a86cc88e551a0c1172a3fb387b1a5f928ac13993ec3387d39cc243

SHA512
44830cefb264bac520174b4b884312dd0393be33a193d4f0fee3cc3c14deb86ca39e43ef281232f9169fd204d19b22e8a7aad72fa448ca52d5cbc3ee1dbb18a4

Download Submit
memory/432-14-0x0000000000360000-0x0000000000370000-memory.dmp

Filesize
64KB

Download
memory/432-38-0x000007FEF65A0000-0x000007FEF6F8C000-memory.dmp

Filesize
9.9MB

Download
memory/432-15-0x000007FEF65A0000-0x000007FEF6F8C000-memory.dmp

Filesize
9.9MB

Download
memory/432-17-0x0000000000520000-0x000000000052C000-memory.dmp

Filesize
48KB

Download
memory/432-19-0x00000000006B0000-0x00000000006BE000-memory.dmp

Filesize
56KB

Download
memory/432-21-0x00000000006C0000-0x00000000006CC000-memory.dmp

Filesize
48KB

Download
memory/432-23-0x00000000006F0000-0x00000000006FE000-memory.dmp

Filesize
56KB

Download
memory/432-25-0x00000000007A0000-0x00000000007B2000-memory.dmp

Filesize
72KB

Download
memory/432-27-0x00000000007C0000-0x00000000007D2000-memory.dmp

Filesize
72KB

Download
memory/432-28-0x000007FEF65A0000-0x000007FEF6F8C000-memory.dmp

Filesize
9.9MB

Download
memory/432-29-0x000007FEF65A0000-0x000007FEF6F8C000-memory.dmp

Filesize
9.9MB

Download
memory/432-31-0x0000000000780000-0x000000000078C000-memory.dmp

Filesize
48KB

Download
memory/432-33-0x0000000000790000-0x00000000007A0000-memory.dmp

Filesize
64KB

Download
memory/432-35-0x00000000007E0000-0x00000000007EE000-memory.dmp

Filesize
56KB

Download
memory/432-37-0x00000000022D0000-0x00000000022E8000-memory.dmp

Filesize
96KB

Download
memory/432-0-0x000007FEF65A3000-0x000007FEF65A4000-memory.dmp

Filesize
4KB

Download
memory/432-40-0x00000000007F0000-0x00000000007FC000-memory.dmp

Filesize
48KB

Download
memory/432-42-0x00000000023D0000-0x000000000241E000-memory.dmp

Filesize
312KB

Download
memory/432-43-0x000007FEF65A0000-0x000007FEF6F8C000-memory.dmp

Filesize
9.9MB

Download
memory/432-12-0x00000000006D0000-0x00000000006E8000-memory.dmp

Filesize
96KB

Download
memory/432-10-0x0000000000340000-0x000000000035C000-memory.dmp

Filesize
112KB

Download
memory/432-9-0x00000000006B0000-0x00000000006CC000-memory.dmp

Filesize
112KB

Download
memory/432-7-0x0000000000160000-0x000000000016E000-memory.dmp

Filesize
56KB

Download
memory/432-5-0x000007FEF65A0000-0x000007FEF6F8C000-memory.dmp

Filesize
9.9MB

Download
memory/432-4-0x0000000000470000-0x0000000000496000-memory.dmp

Filesize
152KB

Download
memory/432-1-0x0000000000170000-0x0000000000340000-memory.dmp

Filesize
1.8MB

Download
memory/432-93-0x000007FEF65A0000-0x000007FEF6F8C000-memory.dmp

Filesize
9.9MB

Download
memory/432-2-0x000007FEF65A0000-0x000007FEF6F8C000-memory.dmp

Filesize
9.9MB

Download
memory/1020-89-0x000000001B330000-0x000000001B612000-memory.dmp

Filesize
2.9MB

Download
memory/1072-92-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/2220-100-0x00000000009C0000-0x0000000000B90000-memory.dmp

Filesize
1.8MB

Download