dcrat | 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2025 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
Size

1.8MB
MD5

d7e7b597ce0c3a87c408c197af695fc4
SHA1

abf13cbcb77d1fe2270b3b7746087419f366748d
SHA256

433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2
SHA512

7cfbf0bd871b9e04e8cd178e8f82052efb108284a279c8e16ea0087e322dfbf00aca117db9cfccb6b6278134edcbce2b8f3b6c050fa4021f6f65f2ccdaf02c91
SSDEEP

24576:fpu2MG9vXL71sCw7sULd3yRsjBp2gltcEA4pUiD7nApwp6t1:Bu2Mw7Y0RsrB5UiD8pw

Score

10^/10

dcrat discovery execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\WinSAT\\DataStore\\sysmon.exe\""	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\WinSAT\\DataStore\\sysmon.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\fontdrvhost.exe\""	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\WinSAT\\DataStore\\sysmon.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\fontdrvhost.exe\", \"C:\\Users\\Public\\Pictures\\explorer.exe\""	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\WinSAT\\DataStore\\sysmon.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\fontdrvhost.exe\", \"C:\\Users\\Public\\Pictures\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\lsass.exe\""	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\WinSAT\\DataStore\\sysmon.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\fontdrvhost.exe\", \"C:\\Users\\Public\\Pictures\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	3432	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	3432	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	3432	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3496	3432	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3296	3432	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	3432	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	3432	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3460	3432	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	3432	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	3432	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3608	3432	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	3432	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	3432	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	3432	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3972	3432	schtasks.exe	83

DCRat payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/4000-1-0x0000000000410000-0x00000000005E0000-memory.dmp	family_dcrat_v2
behavioral2/files/0x000a000000023b6f-56.dat	family_dcrat_v2

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4388	powershell.exe
2952	powershell.exe
2560	powershell.exe
2800	powershell.exe
3524	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe

Executes dropped EXE 1 IoCs

pid	Process
1680	fontdrvhost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows Portable Devices\\lsass.exe\""	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\sysmon.exe\""	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\fontdrvhost.exe\""	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Public\\Pictures\\explorer.exe\""	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows Portable Devices\\lsass.exe\""	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\sysmon.exe\""	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\fontdrvhost.exe\""	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Public\\Pictures\\explorer.exe\""	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCA74A8A77341841A3823A9B9679421484.TMP	csc.exe
File created	\??\c:\Windows\System32\ovufcs.exe	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\lsass.exe	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
File created	C:\Program Files (x86)\Windows Portable Devices\6203df4a6bafc7	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\fontdrvhost.exe	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\5b884080fd4f94	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Performance\WinSAT\DataStore\121e5b5079f7c0	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
File created	C:\Windows\Performance\WinSAT\DataStore\sysmon.exe	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\sysmon.exe	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2756	schtasks.exe
4568	schtasks.exe
3460	schtasks.exe
1332	schtasks.exe
2200	schtasks.exe
1584	schtasks.exe
1452	schtasks.exe
208	schtasks.exe
3496	schtasks.exe
3296	schtasks.exe
2512	schtasks.exe
4944	schtasks.exe
1416	schtasks.exe
3972	schtasks.exe
3608	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1680	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
Token: SeDebugPrivilege	4388	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	3524	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	1680	fontdrvhost.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 1600	4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe	87
PID 4000 wrote to memory of 1600	4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe	87
PID 1600 wrote to memory of 3960	1600	csc.exe	89
PID 1600 wrote to memory of 3960	1600	csc.exe	89
PID 4000 wrote to memory of 3524	4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe	102
PID 4000 wrote to memory of 3524	4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe	102
PID 4000 wrote to memory of 2800	4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe	103
PID 4000 wrote to memory of 2800	4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe	103
PID 4000 wrote to memory of 2560	4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe	104
PID 4000 wrote to memory of 2560	4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe	104
PID 4000 wrote to memory of 2952	4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe	105
PID 4000 wrote to memory of 2952	4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe	105
PID 4000 wrote to memory of 4388	4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe	106
PID 4000 wrote to memory of 4388	4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe	106
PID 4000 wrote to memory of 3112	4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe	112
PID 4000 wrote to memory of 3112	4000	433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe	112
PID 3112 wrote to memory of 3508	3112	cmd.exe	114
PID 3112 wrote to memory of 3508	3112	cmd.exe	114
PID 3112 wrote to memory of 4772	3112	cmd.exe	115
PID 3112 wrote to memory of 4772	3112	cmd.exe	115
PID 3112 wrote to memory of 1680	3112	cmd.exe	116
PID 3112 wrote to memory of 1680	3112	cmd.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
"C:\Users\Admin\AppData\Local\Temp\433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\umw2xcf2\umw2xcf2.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA8F2.tmp" "c:\Windows\System32\CSCA74A8A77341841A3823A9B9679421484.TMP"
    3⤵
    PID:3960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\DataStore\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\SIGNUP\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4388
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h4LPte4JFq.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3112
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3508
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4772
- - C:\Program Files (x86)\Internet Explorer\SIGNUP\fontdrvhost.exe
    "C:\Program Files (x86)\Internet Explorer\SIGNUP\fontdrvhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\WinSAT\DataStore\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Windows\Performance\WinSAT\DataStore\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Pictures\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
1.8MB

MD5
d7e7b597ce0c3a87c408c197af695fc4

SHA1
abf13cbcb77d1fe2270b3b7746087419f366748d

SHA256
433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2

SHA512
7cfbf0bd871b9e04e8cd178e8f82052efb108284a279c8e16ea0087e322dfbf00aca117db9cfccb6b6278134edcbce2b8f3b6c050fa4021f6f65f2ccdaf02c91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Temp\7a0vUv8z7V

Filesize
114KB

MD5
9a3be5cb8635e4df5189c9aaa9c1b3c0

SHA1
9a7ce80c8b4362b7c10294bb1551a6172e656f47

SHA256
958f70959a70caf02c0063fe80f12c4d4d3f822a9fd640a6685c345d98708c26

SHA512
5c538513eba7ebaf7028b924d992b4c32ca323ad44f7a31e21970ed6852ea8b54cf71b2f811e8bf97f2744ee151e001ea52ba43b61cd032cc5a4c886292aac65

Download Submit
C:\Users\Admin\AppData\Local\Temp\QedoW9R0mW

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA8F2.tmp

Filesize
1KB

MD5
529e3748735598a1fee267a9cb136885

SHA1
9ab82d5034bfcc20efcc0845f875b0a8fc920c9b

SHA256
8c8b058086b8a62b2b5cdfe50c807774f3ffa95272f772d22007ef7106a08c74

SHA512
ff3271152d59a9d845464629b2af8cc1e6c759665e3b68d13b776fc3e52efd158f83758a503c48a24020e4a90210029f7c1444145500ca7c84ff52fac9a670d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_knrahflx.ijy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\h4LPte4JFq.bat

Filesize
239B

MD5
c94c0a6405bc5b0284b9751fa22488d2

SHA1
37b6df263a7bb0f8f7356f337851745573c9fdfb

SHA256
3abe5b6826bd6aeaa13cf9d9251e38259ee9e9583fb5f359e556e2f7e8ead297

SHA512
fb6e444faebe7814a816db108bdacfa28fd65a4edc998316ffb872712d97ff798bb24a1962826b35dbbaa975b57dd0b842b5b7c938390dfdac8b4a58347a32a9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\umw2xcf2\umw2xcf2.0.cs

Filesize
382B

MD5
b63887e578c3ff84c8f47b4fc17bcb38

SHA1
6b911d60e2996fe08b47afc829ffbb74f5f92391

SHA256
bf861127511e890fc4fb2dd24c200a03cc9a7c1e53651bd73928f3c9779d52b0

SHA512
07da6d9db6fbd9240705d3e4fbb6413a98b911431c0b245b1fdb412bc4365d95d24ad951f290d9257256bf185b1ab2cdc642841fb4e059275bc033f240e61f84

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\umw2xcf2\umw2xcf2.cmdline

Filesize
235B

MD5
979cba21606542470dafb7c67fc6432c

SHA1
3d87444be9e4426b3873891bc59e03655836e276

SHA256
1923b291df48bffbd17f1bdf79fa9fb1f46976c2e14b818f5883450341e50a65

SHA512
74795a6798c5afac9567f3552a883ce5d3ecaee8ace2d48d45ed4dfa720fc894fbf9f9bdfb161c9beabe175d24dfcb30ae93b92895e27c2334e86f0b9dc8e6df

Download Submit
\??\c:\Windows\System32\CSCA74A8A77341841A3823A9B9679421484.TMP

Filesize
1KB

MD5
1c519e4618f2b468d0f490d4a716da11

SHA1
1a693d0046e48fa813e4fa3bb94ccd20d43e3106

SHA256
4dbf16e3b3bb06c98eeaf27d0a25d9f34ee0ceac51e6365218ef7cd09edb3438

SHA512
99f293878a08b56db6ff2297f243f5f5b85864e6925a1d6af61a65369f7eb323ae1b75fe5f1465fac0b982ac9f49b9e0a295b5dac947da40f61991c4411233fd

Download Submit
memory/1680-155-0x000000001BA70000-0x000000001BB3D000-memory.dmp

Filesize
820KB

Download
memory/4000-17-0x00000000027B0000-0x00000000027BC000-memory.dmp

Filesize
48KB

Download
memory/4000-47-0x00007FFE03250000-0x00007FFE03D11000-memory.dmp

Filesize
10.8MB

Download
memory/4000-24-0x00007FFE03250000-0x00007FFE03D11000-memory.dmp

Filesize
10.8MB

Download
memory/4000-26-0x000000001BBF0000-0x000000001BC02000-memory.dmp

Filesize
72KB

Download
memory/4000-28-0x000000001BC10000-0x000000001BC22000-memory.dmp

Filesize
72KB

Download
memory/4000-29-0x00007FFE03250000-0x00007FFE03D11000-memory.dmp

Filesize
10.8MB

Download
memory/4000-30-0x000000001C160000-0x000000001C688000-memory.dmp

Filesize
5.2MB

Download
memory/4000-32-0x000000001BBA0000-0x000000001BBAC000-memory.dmp

Filesize
48KB

Download
memory/4000-36-0x000000001BBE0000-0x000000001BBEE000-memory.dmp

Filesize
56KB

Download
memory/4000-34-0x000000001BBD0000-0x000000001BBE0000-memory.dmp

Filesize
64KB

Download
memory/4000-39-0x000000001BC50000-0x000000001BC68000-memory.dmp

Filesize
96KB

Download
memory/4000-37-0x00007FFE03250000-0x00007FFE03D11000-memory.dmp

Filesize
10.8MB

Download
memory/4000-43-0x000000001BCC0000-0x000000001BD0E000-memory.dmp

Filesize
312KB

Download
memory/4000-44-0x00007FFE03250000-0x00007FFE03D11000-memory.dmp

Filesize
10.8MB

Download
memory/4000-41-0x000000001BC30000-0x000000001BC3C000-memory.dmp

Filesize
48KB

Download
memory/4000-45-0x00007FFE03250000-0x00007FFE03D11000-memory.dmp

Filesize
10.8MB

Download
memory/4000-46-0x00007FFE03250000-0x00007FFE03D11000-memory.dmp

Filesize
10.8MB

Download
memory/4000-23-0x000000001BB90000-0x000000001BB9E000-memory.dmp

Filesize
56KB

Download
memory/4000-21-0x00000000029B0000-0x00000000029BC000-memory.dmp

Filesize
48KB

Download
memory/4000-19-0x00000000027D0000-0x00000000027DE000-memory.dmp

Filesize
56KB

Download
memory/4000-1-0x0000000000410000-0x00000000005E0000-memory.dmp

Filesize
1.8MB

Download
memory/4000-15-0x0000000002750000-0x0000000002760000-memory.dmp

Filesize
64KB

Download
memory/4000-13-0x000000001BBB0000-0x000000001BBC8000-memory.dmp

Filesize
96KB

Download
memory/4000-0-0x00007FFE03253000-0x00007FFE03255000-memory.dmp

Filesize
8KB

Download
memory/4000-11-0x000000001BB40000-0x000000001BB90000-memory.dmp

Filesize
320KB

Download
memory/4000-82-0x00007FFE03250000-0x00007FFE03D11000-memory.dmp

Filesize
10.8MB

Download
memory/4000-81-0x000000001C690000-0x000000001C75D000-memory.dmp

Filesize
820KB

Download
memory/4000-10-0x0000000002790000-0x00000000027AC000-memory.dmp

Filesize
112KB

Download
memory/4000-9-0x00007FFE03250000-0x00007FFE03D11000-memory.dmp

Filesize
10.8MB

Download
memory/4000-8-0x0000000002900000-0x000000000291C000-memory.dmp

Filesize
112KB

Download
memory/4000-6-0x0000000002740000-0x000000000274E000-memory.dmp

Filesize
56KB

Download
memory/4000-4-0x0000000002760000-0x0000000002786000-memory.dmp

Filesize
152KB

Download
memory/4000-2-0x00007FFE03250000-0x00007FFE03D11000-memory.dmp

Filesize
10.8MB

Download
memory/4388-80-0x000001B828910000-0x000001B828932000-memory.dmp

Filesize
136KB

Download