dcrat | 92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f

Analysis

max time kernel
122s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-01-2025 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
Size

769KB
MD5

e37ecdc4437e46a9e712edf5ac610e65
SHA1

e5e93b92d37911f342f93c636ecb4954862b62dc
SHA256

92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f
SHA512

5941dc1676e3b0a5c9f4bee93bc9d542ed829a4f7263fecad6f870aa084d34ce0f9f16bb794832d4b67fb81fc76ed115ad05aa3692132750132298427034c04b
SSDEEP

12288:7pTnTz9dJuydpYHA9VvNEJJMA+AppW3Ari4VVyZC0+1ctHNt8KF4AXDWZ6:7pTn5uy19V1WJMA+Ap3iE0n3c6

Score

10^/10

dcrat infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\es-ES\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\OSPPSVC.exe\""	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\es-ES\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\OSPPSVC.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dllhost.exe\""	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\es-ES\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\OSPPSVC.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe\""	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\taskhost.exe\""	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\csrss.exe\""	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\es-ES\\Idle.exe\""	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2680	schtasks.exe	31

DCRat payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2492-1-0x0000000000010000-0x00000000000D6000-memory.dmp	family_dcrat_v2
behavioral1/files/0x0005000000019274-24.dat	family_dcrat_v2
behavioral1/memory/848-46-0x0000000000E80000-0x0000000000F46000-memory.dmp	family_dcrat_v2

Executes dropped EXE 1 IoCs

pid	Process
848	taskhost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\taskhost.exe\""	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\taskhost.exe\""	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\csrss.exe\""	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\DigitalLocker\\es-ES\\Idle.exe\""	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe\""	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dllhost.exe\""	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe\""	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\csrss.exe\""	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\DigitalLocker\\es-ES\\Idle.exe\""	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\OSPPSVC.exe\""	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\OSPPSVC.exe\""	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dllhost.exe\""	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC9B9A7E95B4A443F3A0F2F0869D4EF.TMP	csc.exe
File created	\??\c:\Windows\System32\byyuy-.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\csrss.exe	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\886983d96e3d3e	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\DigitalLocker\es-ES\Idle.exe	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
File created	C:\Windows\DigitalLocker\es-ES\6ccacd8608530f	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
564	schtasks.exe
2700	schtasks.exe
2592	schtasks.exe
3068	schtasks.exe
1244	schtasks.exe
2876	schtasks.exe
2800	schtasks.exe
2372	schtasks.exe
2056	schtasks.exe
1804	schtasks.exe
1252	schtasks.exe
2796	schtasks.exe
2368	schtasks.exe
2840	schtasks.exe
1836	schtasks.exe
2552	schtasks.exe
1552	schtasks.exe
2952	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
848	taskhost.exe
848	taskhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
Token: SeDebugPrivilege	848	taskhost.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 2668	2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe	35
PID 2492 wrote to memory of 2668	2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe	35
PID 2492 wrote to memory of 2668	2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe	35
PID 2668 wrote to memory of 2688	2668	csc.exe	37
PID 2668 wrote to memory of 2688	2668	csc.exe	37
PID 2668 wrote to memory of 2688	2668	csc.exe	37
PID 2492 wrote to memory of 2916	2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe	53
PID 2492 wrote to memory of 2916	2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe	53
PID 2492 wrote to memory of 2916	2492	92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe	53
PID 2916 wrote to memory of 2648	2916	cmd.exe	55
PID 2916 wrote to memory of 2648	2916	cmd.exe	55
PID 2916 wrote to memory of 2648	2916	cmd.exe	55
PID 2916 wrote to memory of 892	2916	cmd.exe	56
PID 2916 wrote to memory of 892	2916	cmd.exe	56
PID 2916 wrote to memory of 892	2916	cmd.exe	56
PID 2916 wrote to memory of 848	2916	cmd.exe	57
PID 2916 wrote to memory of 848	2916	cmd.exe	57
PID 2916 wrote to memory of 848	2916	cmd.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe
"C:\Users\Admin\AppData\Local\Temp\92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2i0uobgd\2i0uobgd.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDBBF.tmp" "c:\Windows\System32\CSC9B9A7E95B4A443F3A0F2F0869D4EF.TMP"
    3⤵
    PID:2688
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\W7H4ByLjUI.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2648
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:892
- - C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe
    "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\DigitalLocker\es-ES\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\es-ES\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\DigitalLocker\es-ES\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f9" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f9" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe

Filesize
769KB

MD5
e37ecdc4437e46a9e712edf5ac610e65

SHA1
e5e93b92d37911f342f93c636ecb4954862b62dc

SHA256
92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f

SHA512
5941dc1676e3b0a5c9f4bee93bc9d542ed829a4f7263fecad6f870aa084d34ce0f9f16bb794832d4b67fb81fc76ed115ad05aa3692132750132298427034c04b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDBBF.tmp

Filesize
1KB

MD5
14a676e518bfe87f82681f543b974d50

SHA1
358e6002132489795d3017bef7c07b9fc0d2d7de

SHA256
93b4551d0ee0293259f42142a6fd8c9a3313287c6782a823047a978791cfa3d6

SHA512
5d7e2f3fa31c6469a697ace324dbe92ebba0f2a2e6352f07f7c668e6d5de81047d4fec7d0d86bb5fce36d297db6e0fc3da6480f9bb40006ffebe72d1fc5bb8a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\W7H4ByLjUI.bat

Filesize
237B

MD5
9c74aa4ac6f586d4c2917959b61480cc

SHA1
5237cabf6754a9f5fabe0afa3f5ca87a98dcb062

SHA256
1a277d5890ab60fcbdc5696df63ac8b63a988fabeba9f0eec0cdcaa41e50dcdf

SHA512
befb75ee8fcfeeede1a43976d5e2a6830c6ae9aeb5e66ce4e2407f62edcf6f305bb093a2d56957f652053deba9b6b9bbc3c8598bbadd957f95278f85a3bd9400

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2i0uobgd\2i0uobgd.0.cs

Filesize
393B

MD5
2b6ec8b8f90421e244c03270da17a6f4

SHA1
87e638e3dda8b30db76040df4a60c9afa158bdd6

SHA256
500bb881cea1dd9105c38fb3d5f4e803ace6c8f2270c4beac20080288e8e69e5

SHA512
ec96dd8bdf17cf630b293757ead63cd90f3b7ff4bc15b0ba31dfa88df13f6d150c18d58f3439d6985ef78feea5bc2cbfbda5aeb6a660d9fffc2b20a3e50417e1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2i0uobgd\2i0uobgd.cmdline

Filesize
235B

MD5
6327e7d301a33cf2d11f9e3e199edc34

SHA1
90241af3a469aa358b8fc9bfe1cc36b8572f3837

SHA256
ec6d1102415c404771d9cb04b6b7130cf0ec7673ac5ed6c42de51d8133c3e3fe

SHA512
01c97df903e5a764eaf98c199d9969aa1de6e499088562b4bb37cb370fb66df813c92dff62ae626226a80c54b1b2f02ba321d2dca65eee3a3522b67a999df063

Download Submit
\??\c:\Windows\System32\CSC9B9A7E95B4A443F3A0F2F0869D4EF.TMP

Filesize
1KB

MD5
078586b266e519b5c113064d7a0bf45c

SHA1
a9395c0ef35add5c75591ebb94c85c1f33f408bf

SHA256
ccf292ff9f142b204ad4f4481a044ba8f9ab274305dcb604bf0b8ae91819ab1e

SHA512
5b8eb6aad62657309088c4668d633c2aa6324d4824ec32c3c5e133df0a5493a4342c980e077ba565f3aab29c58f95c8db7195415a1e554384405c1457730f959

Download Submit
memory/848-46-0x0000000000E80000-0x0000000000F46000-memory.dmp

Filesize
792KB

Download
memory/2492-7-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmp

Filesize
9.9MB

Download
memory/2492-13-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmp

Filesize
9.9MB

Download
memory/2492-12-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2492-10-0x0000000002070000-0x0000000002088000-memory.dmp

Filesize
96KB

Download
memory/2492-14-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmp

Filesize
9.9MB

Download
memory/2492-8-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmp

Filesize
9.9MB

Download
memory/2492-6-0x0000000000710000-0x000000000072C000-memory.dmp

Filesize
112KB

Download
memory/2492-0-0x000007FEF5BE3000-0x000007FEF5BE4000-memory.dmp

Filesize
4KB

Download
memory/2492-4-0x00000000004D0000-0x00000000004DE000-memory.dmp

Filesize
56KB

Download
memory/2492-2-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmp

Filesize
9.9MB

Download
memory/2492-43-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmp

Filesize
9.9MB

Download
memory/2492-1-0x0000000000010000-0x00000000000D6000-memory.dmp

Filesize
792KB

Download