dcrat | a07573c22a19a40f9a01422a93bd1c125909857895e9511d59949ba0e5ceb3fe

Analysis

max time kernel
119s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-01-2025 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a07573c22a19a40f9a01422a93bd1c125909857895e9511d59949ba0e5ceb3fe.exe
Size

2.7MB
MD5

c462d6a698a68d09fd332986ab175aab
SHA1

796cc4391791a9c135b32d3ae24c83b5f6f759d8
SHA256

a07573c22a19a40f9a01422a93bd1c125909857895e9511d59949ba0e5ceb3fe
SHA512

328dc1e5a620929de513ce5e496c905ace7856af3eb95f9619f0a5e4748f3375220a4327a0807dea30b94e2dc43983c5e5cc21fb45d8522c7dc18ed778a5ba9b
SSDEEP

49152:UB8QdyqETGWTi91dhvdefW1qI8i5ZMFzp2XZXyoW5AJo:+l8GWWzdVdeu1q/iLMFcRyfAJo

Score

10^/10

dcrat discovery execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Stationery\\1033\\SurrogateBrowserruntimeSvc.exe\", \"C:\\Users\\Default\\Application Data\\WmiPrvSE.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\System.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\sppsvc.exe\", \"C:\\refmonitor\\SurrogateBrowserruntimeSvc.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\OSPPSVC.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Stationery\\1033\\SurrogateBrowserruntimeSvc.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Stationery\\1033\\SurrogateBrowserruntimeSvc.exe\", \"C:\\Users\\Default\\Application Data\\WmiPrvSE.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Stationery\\1033\\SurrogateBrowserruntimeSvc.exe\", \"C:\\Users\\Default\\Application Data\\WmiPrvSE.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\System.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Stationery\\1033\\SurrogateBrowserruntimeSvc.exe\", \"C:\\Users\\Default\\Application Data\\WmiPrvSE.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\System.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\sppsvc.exe\""	SurrogateBrowserruntimeSvc.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	1516	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	1516	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	1516	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	1516	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	1516	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	1516	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	1516	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	1516	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	1516	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	1516	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	1516	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	1516	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	1516	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	1516	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	1516	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	1516	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	1516	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	1516	schtasks.exe	35

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2180	powershell.exe
356	powershell.exe
1984	powershell.exe
1132	powershell.exe
1504	powershell.exe
960	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2144	SurrogateBrowserruntimeSvc.exe
2336	WmiPrvSE.exe

Loads dropped DLL 2 IoCs

pid	Process
2712	cmd.exe
2712	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\SurrogateBrowserruntimeSvc = "\"C:\\refmonitor\\SurrogateBrowserruntimeSvc.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SurrogateBrowserruntimeSvc = "\"C:\\refmonitor\\SurrogateBrowserruntimeSvc.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Users\\Public\\Videos\\Sample Videos\\OSPPSVC.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SurrogateBrowserruntimeSvc = "\"C:\\Program Files (x86)\\Microsoft Office\\Stationery\\1033\\SurrogateBrowserruntimeSvc.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Users\\Default\\Application Data\\WmiPrvSE.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Users\\Default\\Application Data\\WmiPrvSE.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\System.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Users\\Public\\Videos\\Sample Videos\\OSPPSVC.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\SurrogateBrowserruntimeSvc = "\"C:\\Program Files (x86)\\Microsoft Office\\Stationery\\1033\\SurrogateBrowserruntimeSvc.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\System.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Public\\Pictures\\Sample Pictures\\sppsvc.exe\""	SurrogateBrowserruntimeSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Public\\Pictures\\Sample Pictures\\sppsvc.exe\""	SurrogateBrowserruntimeSvc.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC97FD0141C17044008FCEB3C5F3DF9C.TMP	csc.exe
File created	\??\c:\Windows\System32\wa0wg5.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Stationery\1033\SurrogateBrowserruntimeSvc.exe	SurrogateBrowserruntimeSvc.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\1033\bc27f8c430f306	SurrogateBrowserruntimeSvc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a07573c22a19a40f9a01422a93bd1c125909857895e9511d59949ba0e5ceb3fe.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2320	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2320	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1904	schtasks.exe
1696	schtasks.exe
1608	schtasks.exe
2268	schtasks.exe
2864	schtasks.exe
764	schtasks.exe
1416	schtasks.exe
1620	schtasks.exe
1364	schtasks.exe
2764	schtasks.exe
484	schtasks.exe
2428	schtasks.exe
2132	schtasks.exe
2124	schtasks.exe
2936	schtasks.exe
3068	schtasks.exe
1708	schtasks.exe
1404	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe
2144	SurrogateBrowserruntimeSvc.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2144	SurrogateBrowserruntimeSvc.exe
Token: SeDebugPrivilege	960	powershell.exe
Token: SeDebugPrivilege	356	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	1132	powershell.exe
Token: SeDebugPrivilege	2336	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 988 wrote to memory of 2812	988	a07573c22a19a40f9a01422a93bd1c125909857895e9511d59949ba0e5ceb3fe.exe	31
PID 988 wrote to memory of 2812	988	a07573c22a19a40f9a01422a93bd1c125909857895e9511d59949ba0e5ceb3fe.exe	31
PID 988 wrote to memory of 2812	988	a07573c22a19a40f9a01422a93bd1c125909857895e9511d59949ba0e5ceb3fe.exe	31
PID 988 wrote to memory of 2812	988	a07573c22a19a40f9a01422a93bd1c125909857895e9511d59949ba0e5ceb3fe.exe	31
PID 2812 wrote to memory of 2712	2812	WScript.exe	32
PID 2812 wrote to memory of 2712	2812	WScript.exe	32
PID 2812 wrote to memory of 2712	2812	WScript.exe	32
PID 2812 wrote to memory of 2712	2812	WScript.exe	32
PID 2712 wrote to memory of 2144	2712	cmd.exe	34
PID 2712 wrote to memory of 2144	2712	cmd.exe	34
PID 2712 wrote to memory of 2144	2712	cmd.exe	34
PID 2712 wrote to memory of 2144	2712	cmd.exe	34
PID 2144 wrote to memory of 2296	2144	SurrogateBrowserruntimeSvc.exe	39
PID 2144 wrote to memory of 2296	2144	SurrogateBrowserruntimeSvc.exe	39
PID 2144 wrote to memory of 2296	2144	SurrogateBrowserruntimeSvc.exe	39
PID 2296 wrote to memory of 1592	2296	csc.exe	41
PID 2296 wrote to memory of 1592	2296	csc.exe	41
PID 2296 wrote to memory of 1592	2296	csc.exe	41
PID 2144 wrote to memory of 2180	2144	SurrogateBrowserruntimeSvc.exe	57
PID 2144 wrote to memory of 2180	2144	SurrogateBrowserruntimeSvc.exe	57
PID 2144 wrote to memory of 2180	2144	SurrogateBrowserruntimeSvc.exe	57
PID 2144 wrote to memory of 356	2144	SurrogateBrowserruntimeSvc.exe	58
PID 2144 wrote to memory of 356	2144	SurrogateBrowserruntimeSvc.exe	58
PID 2144 wrote to memory of 356	2144	SurrogateBrowserruntimeSvc.exe	58
PID 2144 wrote to memory of 1984	2144	SurrogateBrowserruntimeSvc.exe	59
PID 2144 wrote to memory of 1984	2144	SurrogateBrowserruntimeSvc.exe	59
PID 2144 wrote to memory of 1984	2144	SurrogateBrowserruntimeSvc.exe	59
PID 2144 wrote to memory of 1132	2144	SurrogateBrowserruntimeSvc.exe	61
PID 2144 wrote to memory of 1132	2144	SurrogateBrowserruntimeSvc.exe	61
PID 2144 wrote to memory of 1132	2144	SurrogateBrowserruntimeSvc.exe	61
PID 2144 wrote to memory of 1504	2144	SurrogateBrowserruntimeSvc.exe	62
PID 2144 wrote to memory of 1504	2144	SurrogateBrowserruntimeSvc.exe	62
PID 2144 wrote to memory of 1504	2144	SurrogateBrowserruntimeSvc.exe	62
PID 2144 wrote to memory of 960	2144	SurrogateBrowserruntimeSvc.exe	63
PID 2144 wrote to memory of 960	2144	SurrogateBrowserruntimeSvc.exe	63
PID 2144 wrote to memory of 960	2144	SurrogateBrowserruntimeSvc.exe	63
PID 2144 wrote to memory of 900	2144	SurrogateBrowserruntimeSvc.exe	69
PID 2144 wrote to memory of 900	2144	SurrogateBrowserruntimeSvc.exe	69
PID 2144 wrote to memory of 900	2144	SurrogateBrowserruntimeSvc.exe	69
PID 900 wrote to memory of 2212	900	cmd.exe	71
PID 900 wrote to memory of 2212	900	cmd.exe	71
PID 900 wrote to memory of 2212	900	cmd.exe	71
PID 900 wrote to memory of 2320	900	cmd.exe	72
PID 900 wrote to memory of 2320	900	cmd.exe	72
PID 900 wrote to memory of 2320	900	cmd.exe	72
PID 900 wrote to memory of 2336	900	cmd.exe	73
PID 900 wrote to memory of 2336	900	cmd.exe	73
PID 900 wrote to memory of 2336	900	cmd.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a07573c22a19a40f9a01422a93bd1c125909857895e9511d59949ba0e5ceb3fe.exe
"C:\Users\Admin\AppData\Local\Temp\a07573c22a19a40f9a01422a93bd1c125909857895e9511d59949ba0e5ceb3fe.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:988
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\refmonitor\IpbZ1VvTcHrONcTKJANl9zG.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\refmonitor\L8eiZJU31CCxC9L.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\refmonitor\SurrogateBrowserruntimeSvc.exe
      "C:\refmonitor/SurrogateBrowserruntimeSvc.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2144
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zs4nw5gw\zs4nw5gw.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2296
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFE6B.tmp" "c:\Windows\System32\CSC97FD0141C17044008FCEB3C5F3DF9C.TMP"
        6⤵
        
        PID:1592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\Sample Videos\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Stationery\1033\SurrogateBrowserruntimeSvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Application Data\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1132
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\refmonitor\SurrogateBrowserruntimeSvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:960
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NkjzQfREGa.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:900
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2212
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2320
      - C:\Users\Default\Application Data\WmiPrvSE.exe
        
        "C:\Users\Default\Application Data\WmiPrvSE.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Videos\Sample Videos\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Videos\Sample Videos\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SurrogateBrowserruntimeSvcS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\SurrogateBrowserruntimeSvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SurrogateBrowserruntimeSvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\SurrogateBrowserruntimeSvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SurrogateBrowserruntimeSvcS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\SurrogateBrowserruntimeSvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Application Data\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\Application Data\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Application Data\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\Sample Pictures\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\Sample Pictures\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SurrogateBrowserruntimeSvcS" /sc MINUTE /mo 14 /tr "'C:\refmonitor\SurrogateBrowserruntimeSvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SurrogateBrowserruntimeSvc" /sc ONLOGON /tr "'C:\refmonitor\SurrogateBrowserruntimeSvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SurrogateBrowserruntimeSvcS" /sc MINUTE /mo 11 /tr "'C:\refmonitor\SurrogateBrowserruntimeSvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NkjzQfREGa.bat

Filesize
174B

MD5
41e817982f310e9499668ec5c66569c4

SHA1
7deae1515d230d78151be2ff291686eb70579f4c

SHA256
9d991649b306036383ef6597eda6302d9cd55bd0d204706b4235fb7935b94b6d

SHA512
652826abcfec2ed69c605613b08909381209748ed81ce6b468c911e1a79f64564ad3f84a961c9357f24ecc062dd26bbfa97ecbcabe0e9a007153385776d3e845

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFE6B.tmp

Filesize
1KB

MD5
ef0e54b86ef17bca4e6f0acd93a56826

SHA1
6d05a0b17d4112a425afec9c1e1dc68b7d0c5988

SHA256
8966ed5d300b3942f79a16f4e494970337b1e6a2479c0029575c8c44ca4f3e0f

SHA512
a51ce4be4ca7ccd08d12d61bf243a6322f85f4949e3747c8b66bc49a4ce94a1587cbc5258cc1f2570e044bde47484e33f9209db38e95dfa0918885ee25b665ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
64ed50a2e319de174d9651e9d07061f7

SHA1
fc9f77fc673d08fc5e2f2897732e5ae907b5339a

SHA256
8ce9edb8b9b9f2a42af85f302ede70b325c587b55a483b320fe0a9134e9affab

SHA512
585dde81f3d46ce8af1b3ee0a36f647226b1a46add8a5ffefbc2000605675b44022b69c14b3552ba0b86b63352926a9b396bd3f87d09f5099b8126579fd3a441

Download Submit
C:\refmonitor\IpbZ1VvTcHrONcTKJANl9zG.vbe

Filesize
203B

MD5
7ab2590560976f9db5936c16c769e33e

SHA1
879f7a609f21c2db8f985a2be7328708225ecaac

SHA256
582d8eef207124fa14ea2bee1733ac8eaada70a9dc2e5a26481136deaff10fde

SHA512
2cae748998d21e4e217b652c5cef6a3ba206cf845bba9d85507fea99ee334093318b248680819b36745c1ba586e0d4115a225ef8bc17211d61c2314fbcdd92f4

Download Submit
C:\refmonitor\L8eiZJU31CCxC9L.bat

Filesize
85B

MD5
550369819d3a809d6b71c88c2ac730dd

SHA1
dc2349d2365842b97c43a20922a500bc5402c484

SHA256
359617de9c982df1d89e52bd9be840bb6618850d46380d4183ada239c8435e32

SHA512
aac7ccd06cf0f49d651d1fbc276031bb1b431feb260098cbb69fb54c3993e15e8f6f80ff8c0031048f34e33276800286f2943535ca34f33c0944380a3b960921

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zs4nw5gw\zs4nw5gw.0.cs

Filesize
380B

MD5
739209387a5da9070b300f4883447eec

SHA1
71e31b59e8f435422b34f68ab93050e492b22624

SHA256
6febadf85787621cc56fbb3bd8219b495da12158dda1455852165d8c9efb35e1

SHA512
4fab6b9f95233f1199eecb5018cd7d0b379941f07624e34bb0d52a48306287ac20d38368cfd75deccab2a5dd9d115c46a5dee30f0a202d3e34cadaf7bc9fedd6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zs4nw5gw\zs4nw5gw.cmdline

Filesize
235B

MD5
46b846aeb82c3e6e49209f7df8630d87

SHA1
792e5c5255ec62c9ea7d243b8f536a9b24d5b098

SHA256
9715829bed1e200b90dbd4da909f5190dc8fc2417218b4b10f698d5e4e117cf3

SHA512
aab151b35e2133aed71f9ae49c1ede52f8273744c869862241ed45149599ef31e350c09eea786fec4ebc84f05227da682d87ff16fcd83c5caedf210068f28679

Download Submit
\??\c:\Windows\System32\CSC97FD0141C17044008FCEB3C5F3DF9C.TMP

Filesize
1KB

MD5
b74f131aab310dc6e37b43e729c24199

SHA1
bade4cf35d7e80e79880396c1fdd518d9ab78bdf

SHA256
5fdff2a34cc18e36619ff327b292a8255286dc102d85074b7fc625ccbdbe1858

SHA512
733cb12c94d0a8bedc9a38c073dff2fc46553854d7e835767aaa749b4754beef77fa3bc8232eab21c92bc808c08b150cafe5c035bb33d82292fbf76fec55d885

Download Submit
\refmonitor\SurrogateBrowserruntimeSvc.exe

Filesize
2.4MB

MD5
13d5df2ab2ead9bc68445f92b137eda6

SHA1
0411a2f0bae6108252130feb85e20cc1cf6b5d07

SHA256
80b56ea271aee36a7631af049b4a07141163f8d79ef220af176dc661acad8f54

SHA512
b58d4ec4689de7d0229c56161163e2174004dd217c2a3d33985400d8907506a36b0f769d6ba196327e00577879e7e0c8442ff6e29cbae4110c231ededde45b62

Download Submit
memory/960-79-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/1984-68-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

Filesize
2.9MB

Download
memory/2144-17-0x0000000000450000-0x000000000046C000-memory.dmp

Filesize
112KB

Download
memory/2144-29-0x0000000000430000-0x000000000043C000-memory.dmp

Filesize
48KB

Download
memory/2144-27-0x00000000004B0000-0x00000000004C8000-memory.dmp

Filesize
96KB

Download
memory/2144-25-0x00000000002A0000-0x00000000002B0000-memory.dmp

Filesize
64KB

Download
memory/2144-23-0x000000001AEA0000-0x000000001AEFA000-memory.dmp

Filesize
360KB

Download
memory/2144-21-0x0000000000490000-0x00000000004A6000-memory.dmp

Filesize
88KB

Download
memory/2144-19-0x0000000000470000-0x0000000000488000-memory.dmp

Filesize
96KB

Download
memory/2144-15-0x0000000000290000-0x000000000029E000-memory.dmp

Filesize
56KB

Download
memory/2144-13-0x0000000000C90000-0x0000000000F02000-memory.dmp

Filesize
2.4MB

Download
memory/2336-88-0x0000000000FE0000-0x0000000001252000-memory.dmp

Filesize
2.4MB

Download