dcrat | a07573c22a19a40f9a01422a93bd1c125909857895e9511d59949ba0e5ceb3fe

Analysis

max time kernel
121s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-01-2025 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a07573c22a19a40f9a01422a93bd1c125909857895e9511d59949ba0e5ceb3fe.exe
Size

2.7MB
MD5

c462d6a698a68d09fd332986ab175aab
SHA1

796cc4391791a9c135b32d3ae24c83b5f6f759d8
SHA256

a07573c22a19a40f9a01422a93bd1c125909857895e9511d59949ba0e5ceb3fe
SHA512

328dc1e5a620929de513ce5e496c905ace7856af3eb95f9619f0a5e4748f3375220a4327a0807dea30b94e2dc43983c5e5cc21fb45d8522c7dc18ed778a5ba9b
SSDEEP

49152:UB8QdyqETGWTi91dhvdefW1qI8i5ZMFzp2XZXyoW5AJo:+l8GWWzdVdeu1q/iLMFcRyfAJo

Score

10^/10

dcrat discovery execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\Idle.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\wininit.exe\", \"C:\\Windows\\Globalization\\MCT\\MCT-GB\\lsm.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\conhost.exe\", \"C:\\Windows\\L2Schemas\\csrss.exe\", \"C:\\refmonitor\\SurrogateBrowserruntimeSvc.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\Idle.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\Idle.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\wininit.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\Idle.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\wininit.exe\", \"C:\\Windows\\Globalization\\MCT\\MCT-GB\\lsm.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\Idle.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\wininit.exe\", \"C:\\Windows\\Globalization\\MCT\\MCT-GB\\lsm.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\conhost.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\Idle.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\wininit.exe\", \"C:\\Windows\\Globalization\\MCT\\MCT-GB\\lsm.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\conhost.exe\", \"C:\\Windows\\L2Schemas\\csrss.exe\""	SurrogateBrowserruntimeSvc.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2680	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2680	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2680	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2680	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	280	2680	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2680	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2680	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2680	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2680	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	2680	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	2680	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2680	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	2680	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2680	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2680	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2680	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2680	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	480	2680	schtasks.exe	34

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
784	powershell.exe
2052	powershell.exe
1032	powershell.exe
908	powershell.exe
1540	powershell.exe
2444	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2440	SurrogateBrowserruntimeSvc.exe
2472	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
2504	cmd.exe
2504	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\Idle.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\Idle.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\L2Schemas\\csrss.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SurrogateBrowserruntimeSvc = "\"C:\\refmonitor\\SurrogateBrowserruntimeSvc.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\wininit.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\wininit.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Globalization\\MCT\\MCT-GB\\lsm.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Globalization\\MCT\\MCT-GB\\lsm.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\conhost.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\conhost.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\L2Schemas\\csrss.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\SurrogateBrowserruntimeSvc = "\"C:\\refmonitor\\SurrogateBrowserruntimeSvc.exe\""	SurrogateBrowserruntimeSvc.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC4D69A11C949C4F77AEFDFFFFBD2FFBC.TMP	csc.exe
File created	\??\c:\Windows\System32\byyuy-.exe	csc.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\SurrogateBrowserruntimeSvc.exe	SurrogateBrowserruntimeSvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\conhost.exe	SurrogateBrowserruntimeSvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\088424020bedd6	SurrogateBrowserruntimeSvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Globalization\MCT\MCT-GB\lsm.exe	SurrogateBrowserruntimeSvc.exe
File created	C:\Windows\Globalization\MCT\MCT-GB\101b941d020240	SurrogateBrowserruntimeSvc.exe
File created	C:\Windows\L2Schemas\csrss.exe	SurrogateBrowserruntimeSvc.exe
File opened for modification	C:\Windows\L2Schemas\csrss.exe	SurrogateBrowserruntimeSvc.exe
File created	C:\Windows\L2Schemas\886983d96e3d3e	SurrogateBrowserruntimeSvc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a07573c22a19a40f9a01422a93bd1c125909857895e9511d59949ba0e5ceb3fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2080	schtasks.exe
2576	schtasks.exe
2652	schtasks.exe
280	schtasks.exe
1828	schtasks.exe
1684	schtasks.exe
1968	schtasks.exe
1404	schtasks.exe
1376	schtasks.exe
2224	schtasks.exe
2068	schtasks.exe
1560	schtasks.exe
1568	schtasks.exe
1456	schtasks.exe
2004	schtasks.exe
2972	schtasks.exe
840	schtasks.exe
480	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe
2440	SurrogateBrowserruntimeSvc.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2440	SurrogateBrowserruntimeSvc.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	784	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	2472	Idle.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 1628	2380	a07573c22a19a40f9a01422a93bd1c125909857895e9511d59949ba0e5ceb3fe.exe	30
PID 2380 wrote to memory of 1628	2380	a07573c22a19a40f9a01422a93bd1c125909857895e9511d59949ba0e5ceb3fe.exe	30
PID 2380 wrote to memory of 1628	2380	a07573c22a19a40f9a01422a93bd1c125909857895e9511d59949ba0e5ceb3fe.exe	30
PID 2380 wrote to memory of 1628	2380	a07573c22a19a40f9a01422a93bd1c125909857895e9511d59949ba0e5ceb3fe.exe	30
PID 1628 wrote to memory of 2504	1628	WScript.exe	31
PID 1628 wrote to memory of 2504	1628	WScript.exe	31
PID 1628 wrote to memory of 2504	1628	WScript.exe	31
PID 1628 wrote to memory of 2504	1628	WScript.exe	31
PID 2504 wrote to memory of 2440	2504	cmd.exe	33
PID 2504 wrote to memory of 2440	2504	cmd.exe	33
PID 2504 wrote to memory of 2440	2504	cmd.exe	33
PID 2504 wrote to memory of 2440	2504	cmd.exe	33
PID 2440 wrote to memory of 3044	2440	SurrogateBrowserruntimeSvc.exe	38
PID 2440 wrote to memory of 3044	2440	SurrogateBrowserruntimeSvc.exe	38
PID 2440 wrote to memory of 3044	2440	SurrogateBrowserruntimeSvc.exe	38
PID 3044 wrote to memory of 1884	3044	csc.exe	40
PID 3044 wrote to memory of 1884	3044	csc.exe	40
PID 3044 wrote to memory of 1884	3044	csc.exe	40
PID 2440 wrote to memory of 784	2440	SurrogateBrowserruntimeSvc.exe	56
PID 2440 wrote to memory of 784	2440	SurrogateBrowserruntimeSvc.exe	56
PID 2440 wrote to memory of 784	2440	SurrogateBrowserruntimeSvc.exe	56
PID 2440 wrote to memory of 2444	2440	SurrogateBrowserruntimeSvc.exe	57
PID 2440 wrote to memory of 2444	2440	SurrogateBrowserruntimeSvc.exe	57
PID 2440 wrote to memory of 2444	2440	SurrogateBrowserruntimeSvc.exe	57
PID 2440 wrote to memory of 2052	2440	SurrogateBrowserruntimeSvc.exe	58
PID 2440 wrote to memory of 2052	2440	SurrogateBrowserruntimeSvc.exe	58
PID 2440 wrote to memory of 2052	2440	SurrogateBrowserruntimeSvc.exe	58
PID 2440 wrote to memory of 1032	2440	SurrogateBrowserruntimeSvc.exe	62
PID 2440 wrote to memory of 1032	2440	SurrogateBrowserruntimeSvc.exe	62
PID 2440 wrote to memory of 1032	2440	SurrogateBrowserruntimeSvc.exe	62
PID 2440 wrote to memory of 1540	2440	SurrogateBrowserruntimeSvc.exe	63
PID 2440 wrote to memory of 1540	2440	SurrogateBrowserruntimeSvc.exe	63
PID 2440 wrote to memory of 1540	2440	SurrogateBrowserruntimeSvc.exe	63
PID 2440 wrote to memory of 908	2440	SurrogateBrowserruntimeSvc.exe	64
PID 2440 wrote to memory of 908	2440	SurrogateBrowserruntimeSvc.exe	64
PID 2440 wrote to memory of 908	2440	SurrogateBrowserruntimeSvc.exe	64
PID 2440 wrote to memory of 1572	2440	SurrogateBrowserruntimeSvc.exe	68
PID 2440 wrote to memory of 1572	2440	SurrogateBrowserruntimeSvc.exe	68
PID 2440 wrote to memory of 1572	2440	SurrogateBrowserruntimeSvc.exe	68
PID 1572 wrote to memory of 2156	1572	cmd.exe	70
PID 1572 wrote to memory of 2156	1572	cmd.exe	70
PID 1572 wrote to memory of 2156	1572	cmd.exe	70
PID 1572 wrote to memory of 1608	1572	cmd.exe	71
PID 1572 wrote to memory of 1608	1572	cmd.exe	71
PID 1572 wrote to memory of 1608	1572	cmd.exe	71
PID 1572 wrote to memory of 2472	1572	cmd.exe	72
PID 1572 wrote to memory of 2472	1572	cmd.exe	72
PID 1572 wrote to memory of 2472	1572	cmd.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a07573c22a19a40f9a01422a93bd1c125909857895e9511d59949ba0e5ceb3fe.exe
"C:\Users\Admin\AppData\Local\Temp\a07573c22a19a40f9a01422a93bd1c125909857895e9511d59949ba0e5ceb3fe.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\refmonitor\IpbZ1VvTcHrONcTKJANl9zG.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\refmonitor\L8eiZJU31CCxC9L.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\refmonitor\SurrogateBrowserruntimeSvc.exe
      "C:\refmonitor/SurrogateBrowserruntimeSvc.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2440
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kncnvm0s\kncnvm0s.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3044
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB184.tmp" "c:\Windows\System32\CSC4D69A11C949C4F77AEFDFFFFBD2FFBC.TMP"
        6⤵
        
        PID:1884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\MCT\MCT-GB\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\refmonitor\SurrogateBrowserruntimeSvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:908
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nNyNutAYGn.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1572
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2156
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1608
      - C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\Globalization\MCT\MCT-GB\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Globalization\MCT\MCT-GB\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Windows\Globalization\MCT\MCT-GB\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\L2Schemas\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\L2Schemas\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\L2Schemas\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SurrogateBrowserruntimeSvcS" /sc MINUTE /mo 7 /tr "'C:\refmonitor\SurrogateBrowserruntimeSvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SurrogateBrowserruntimeSvc" /sc ONLOGON /tr "'C:\refmonitor\SurrogateBrowserruntimeSvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SurrogateBrowserruntimeSvcS" /sc MINUTE /mo 7 /tr "'C:\refmonitor\SurrogateBrowserruntimeSvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB184.tmp

Filesize
1KB

MD5
63468e8531ccd2fdf38ddd5cda49def4

SHA1
d1805e66f2f238d338e7eca6c7b0e972678b8dcf

SHA256
02b4b2e24521db12f0c3b0bd1b2995412f3b83bd780a9ba723b03d0f9e015ac4

SHA512
9c818911cd42036914d0c07d58d6f8aec1e2d6502a140d1063f8f741004910b8fc731f96716938068b27335163e22ee2983c063bb94ca8239fe020276e3ba2e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nNyNutAYGn.bat

Filesize
233B

MD5
bf299e8d953e80f954f5affa98363176

SHA1
19adcde448226343c801eb17f016fc1d2251fdef

SHA256
0c2e39c4701455cfecf4e7c926ec5a5462781c739656374b0102c5e50f43913e

SHA512
0c403e03f223265312d79c02fc2622f0e3a79c47f93343b89011e418e2b635980ada3da19c23b66ad3dabdf3d4fd6ff1da25a0a9edac04fd3ddf79dc53df391f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
346ecaab45ff0813eba3d14c440f1477

SHA1
7780383c771635f1488b175b4d3210f09c28e56d

SHA256
3dad0edfbd75b530ee6993b070d27b3d853e5cc775dbf4e955aad5f0ed86f395

SHA512
4b76702a1486fcf69068eac2d30db8e3cc54dd59b093973e3b1a69e165ff05318cb4ca6af97b393e69025d4a8b20e1071e5bbe2be64bfcd74143d5807131f43e

Download Submit
C:\refmonitor\IpbZ1VvTcHrONcTKJANl9zG.vbe

Filesize
203B

MD5
7ab2590560976f9db5936c16c769e33e

SHA1
879f7a609f21c2db8f985a2be7328708225ecaac

SHA256
582d8eef207124fa14ea2bee1733ac8eaada70a9dc2e5a26481136deaff10fde

SHA512
2cae748998d21e4e217b652c5cef6a3ba206cf845bba9d85507fea99ee334093318b248680819b36745c1ba586e0d4115a225ef8bc17211d61c2314fbcdd92f4

Download Submit
C:\refmonitor\L8eiZJU31CCxC9L.bat

Filesize
85B

MD5
550369819d3a809d6b71c88c2ac730dd

SHA1
dc2349d2365842b97c43a20922a500bc5402c484

SHA256
359617de9c982df1d89e52bd9be840bb6618850d46380d4183ada239c8435e32

SHA512
aac7ccd06cf0f49d651d1fbc276031bb1b431feb260098cbb69fb54c3993e15e8f6f80ff8c0031048f34e33276800286f2943535ca34f33c0944380a3b960921

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kncnvm0s\kncnvm0s.0.cs

Filesize
389B

MD5
d421f9b1bec69865032feff9c539aaca

SHA1
8e5bf5815adf123ada7e0241c8742a9842fb8892

SHA256
f82f65d77aaf354199b1132433393947eb9f5a94257f03338b13fa9b4b13d715

SHA512
a8e622e3e5da8d8625abff9c6ca99dc58ac264ec61fe8764dd4b567014319c580280fbdb7090c72af6716312843e46b305c897c6d5b0f43d2c809c363bbba4e3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kncnvm0s\kncnvm0s.cmdline

Filesize
235B

MD5
a32f7d4adbbf5a575e619007a17e0407

SHA1
22213709a94becd8d905dda707b1cf7c0b08889e

SHA256
99ca937577b375e7bd0da2861f0765aa0af4b92fddb1d396e925c2696e69f5b2

SHA512
7b5941e5c6caa2bab4741182bc7d01a42da52376f5b6b36162f172b6e7020b9415ea02593c042f7777e32f7e4509a85fb017d4785507889d6f762a3c5077ac70

Download Submit
\??\c:\Windows\System32\CSC4D69A11C949C4F77AEFDFFFFBD2FFBC.TMP

Filesize
1KB

MD5
078586b266e519b5c113064d7a0bf45c

SHA1
a9395c0ef35add5c75591ebb94c85c1f33f408bf

SHA256
ccf292ff9f142b204ad4f4481a044ba8f9ab274305dcb604bf0b8ae91819ab1e

SHA512
5b8eb6aad62657309088c4668d633c2aa6324d4824ec32c3c5e133df0a5493a4342c980e077ba565f3aab29c58f95c8db7195415a1e554384405c1457730f959

Download Submit
\refmonitor\SurrogateBrowserruntimeSvc.exe

Filesize
2.4MB

MD5
13d5df2ab2ead9bc68445f92b137eda6

SHA1
0411a2f0bae6108252130feb85e20cc1cf6b5d07

SHA256
80b56ea271aee36a7631af049b4a07141163f8d79ef220af176dc661acad8f54

SHA512
b58d4ec4689de7d0229c56161163e2174004dd217c2a3d33985400d8907506a36b0f769d6ba196327e00577879e7e0c8442ff6e29cbae4110c231ededde45b62

Download Submit
memory/784-71-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/2052-73-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2440-17-0x0000000000C10000-0x0000000000C2C000-memory.dmp

Filesize
112KB

Download
memory/2440-29-0x0000000000BF0000-0x0000000000BFC000-memory.dmp

Filesize
48KB

Download
memory/2440-27-0x0000000000D80000-0x0000000000D98000-memory.dmp

Filesize
96KB

Download
memory/2440-25-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/2440-23-0x0000000000EE0000-0x0000000000F3A000-memory.dmp

Filesize
360KB

Download
memory/2440-21-0x0000000000D60000-0x0000000000D76000-memory.dmp

Filesize
88KB

Download
memory/2440-19-0x0000000000D40000-0x0000000000D58000-memory.dmp

Filesize
96KB

Download
memory/2440-15-0x0000000000A40000-0x0000000000A4E000-memory.dmp

Filesize
56KB

Download
memory/2440-13-0x0000000000F70000-0x00000000011E2000-memory.dmp

Filesize
2.4MB

Download
memory/2472-91-0x0000000000E80000-0x00000000010F2000-memory.dmp

Filesize
2.4MB

Download