dcrat | e7fe25f706806440e04205b7fbe8c4dc0bef064327770b7ba7682917090509f5

Analysis

max time kernel
139s
max time network
151s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-01-2025 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

taskHostw.exe
Size

1.1MB
MD5

9acac2f1709100c4f471c5c4d9a6559a
SHA1

b0de7b3d1340bb3edc9b67a6ae2be9d25f1e6172
SHA256

e7fe25f706806440e04205b7fbe8c4dc0bef064327770b7ba7682917090509f5
SHA512

196cea984b335b1cd03032d9002d799cb9bc85fb252f102510da8d3b14e0f02c15627f82c64cdc6ce086cf91e1960c0e3d6fc1bc539c657f1b0ff2e94276f1b8
SSDEEP

24576:U2G/nvxW3Ww0tGyuDFfYdKDe17qJSZLQ+r/kDIdCCj:UbA30yFbaqerDPdF

Score

10^/10

dcrat credential_access defense_evasion discovery infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2784	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2784	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2784	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2784	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2784	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2784	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2784	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2784	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2784	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2784	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2784	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2784	schtasks.exe	34

UAC bypass 3 TTPs 6 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Bridgebrokerperf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Bridgebrokerperf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Bridgebrokerperf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000019394-11.dat	dcrat
behavioral1/memory/2924-13-0x0000000000C90000-0x0000000000D70000-memory.dmp	dcrat
behavioral1/memory/580-30-0x00000000000F0000-0x00000000001D0000-memory.dmp	dcrat

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Deletes itself 1 IoCs

pid	Process
580	winlogon.exe

Executes dropped EXE 2 IoCs

pid	Process
2924	Bridgebrokerperf.exe
580	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
2776	cmd.exe
2776	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Checks whether UAC is enabled 1 TTPs 4 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Bridgebrokerperf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Bridgebrokerperf.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	winlogon.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	winlogon.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)grayStateIcon.png	winlogon.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\RSSFeeds.css	winlogon.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\1.png	winlogon.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-hot.png	winlogon.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\system_h.png	winlogon.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationClientsideProviders.resources.dll	winlogon.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\TipTsf.dll.mui	winlogon.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui	winlogon.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Engine.resources.dll	winlogon.exe
File opened for modification	C:\Program Files\Windows Journal\it-IT\jnwmon.dll.mui	winlogon.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_snow.png	winlogon.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_ButtonGraphic.png	winlogon.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_ButtonGraphic.png	winlogon.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_up.png	winlogon.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipBand.dll.mui	winlogon.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui	winlogon.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\rings-desk.png	winlogon.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\msdasc.dll	winlogon.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\settings.js	winlogon.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\settings.css	winlogon.exe
File opened for modification	C:\Program Files\Common Files\System\ado\adojavas.inc	winlogon.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui	winlogon.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_disabled.png	winlogon.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXSLE.dll	winlogon.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\OmdProject.dll.mui	winlogon.exe
File opened for modification	C:\Program Files\Internet Explorer\DiagnosticsTap.dll	winlogon.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_down_BIDI.png	winlogon.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\1047x576black.png	winlogon.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Utilities.v3.5.resources.dll	winlogon.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeUpdater.dll	winlogon.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui	winlogon.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.Client.resources.dll	winlogon.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_m.png	winlogon.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Web.Entity.Resources.dll	winlogon.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\Client.xml	winlogon.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\msadcfr.dll.mui	winlogon.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Management.Instrumentation.Resources.dll	winlogon.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\gadget.xml	winlogon.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\XDPFile_8.ico	winlogon.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\wmpnscfg.exe.mui	winlogon.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\flyout.html	winlogon.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif	winlogon.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\bandwidth.png	winlogon.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.WorkflowServices.dll	winlogon.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mraut.dll	winlogon.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\calendar.js	winlogon.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\gadget.xml	winlogon.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\1px.gif	winlogon.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\4.png	winlogon.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui	winlogon.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\weather.js	winlogon.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Engine.resources.dll	winlogon.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Aero.dll	winlogon.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Net.Resources.dll	winlogon.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\clock.css	winlogon.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\settings.js	winlogon.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\22.png	winlogon.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui	winlogon.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssLogo.gif	winlogon.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InkWatson.exe.mui	winlogon.exe
File opened for modification	C:\Program Files\Windows Media Player\WMPMediaSharing.dll	winlogon.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\msdaorar.dll.mui	winlogon.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\es-ES\wordpad.exe.mui	winlogon.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\wab32res.dll.mui	winlogon.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Help\Windows\fr-FR\netw.h1s	winlogon.exe
File opened for modification	C:\Windows\Media\Savanna\Windows Default.wav	winlogon.exe
File opened for modification	C:\Windows\Help\Windows\it-IT\netwl.h1s	winlogon.exe
File opened for modification	C:\Windows\Help\Windows\it-IT\wasw.h1s	winlogon.exe
File opened for modification	C:\Windows\ehome\ehrecvr.exe	winlogon.exe
File opened for modification	C:\Windows\Fonts\j8514fix.fon	winlogon.exe
File opened for modification	C:\Windows\Help\mui\040C\resmon.CHM	winlogon.exe
File opened for modification	C:\Windows\Help\Windows\en-US\basics.h1s	winlogon.exe
File opened for modification	C:\Windows\Help\Windows\ja-JP\medctr.h1s	winlogon.exe
File opened for modification	C:\Windows\inf\netbrdgm.inf	winlogon.exe
File opened for modification	C:\Windows\Help\Help\es-ES\resources.H1S	winlogon.exe
File opened for modification	C:\Windows\Cursors\size2_im.cur	winlogon.exe
File opened for modification	C:\Windows\ehome\wow\ehuihlp.dll	winlogon.exe
File opened for modification	C:\Windows\Fonts\sseriff.fon	winlogon.exe
File opened for modification	C:\Windows\Cursors\lnwse.cur	winlogon.exe
File opened for modification	C:\Windows\Help\mui\0C0A\wmicontrol.CHM	winlogon.exe
File opened for modification	C:\Windows\Help\Windows\it-IT\network.h1s	winlogon.exe
File opened for modification	C:\Windows\Help\Windows\fr-FR\helpplc.h1s	winlogon.exe
File opened for modification	C:\Windows\Media\Savanna\Windows Error.wav	winlogon.exe
File opened for modification	C:\Windows\Cursors\beam_l.cur	winlogon.exe
File opened for modification	C:\Windows\Fonts\simsun.ttc	winlogon.exe
File opened for modification	C:\Windows\Help\Windows\en-US\helpplc.h1s	winlogon.exe
File opened for modification	C:\Windows\Help\mui\0407\aclui.CHM	winlogon.exe
File opened for modification	C:\Windows\Fonts\vgaf1256.fon	winlogon.exe
File opened for modification	C:\Windows\Help\Windows\de-DE\movie.H1S	winlogon.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\microsoft.build.tasks.v4.0.dll_amd64	winlogon.exe
File opened for modification	C:\Windows\diagnostics\system\DeviceCenter\TS_DeviceCenter.ps1	winlogon.exe
File opened for modification	C:\Windows\diagnostics\system\Power\TS_ScreenBrightness.ps1	winlogon.exe
File opened for modification	C:\Windows\diagnostics\system\Power\de-DE\RS_Balanced.psd1	winlogon.exe
File opened for modification	C:\Windows\ehome\ehvid.exe	winlogon.exe
File opened for modification	C:\Windows\Cursors\size3_r.cur	winlogon.exe
File opened for modification	C:\Windows\diagnostics\system\Device\DiagPackage.diagpkg	winlogon.exe
File opened for modification	C:\Windows\IME\it-IT\SpTip.dll.mui	winlogon.exe
File opened for modification	C:\Windows\Media\Windows Battery Critical.wav	winlogon.exe
File opened for modification	C:\Windows\Help\Windows\fr-FR\network.h1s	winlogon.exe
File opened for modification	C:\Windows\Help\Windows\it-IT\app3rd.h1s	winlogon.exe
File opened for modification	C:\Windows\ehome\mcGlidHost.exe	winlogon.exe
File opened for modification	C:\Windows\ehome\it-IT\ehchsime.dll.mui	winlogon.exe
File opened for modification	C:\Windows\Fonts\dosapp.fon	winlogon.exe
File opened for modification	C:\Windows\Fonts\ebrima.ttf	winlogon.exe
File opened for modification	C:\Windows\Help\Windows\fr-FR\efsfull.h1s	winlogon.exe
File opened for modification	C:\Windows\Help\Windows\it-IT\artui4.h1s	winlogon.exe
File opened for modification	C:\Windows\diagnostics\system\WindowsMediaPlayerConfiguration\TS_IsWMPUnavailable.ps1	winlogon.exe
File opened for modification	C:\Windows\diagnostics\system\WindowsMediaPlayerConfiguration\de-DE\CL_LocalizationData.psd1	winlogon.exe
File opened for modification	C:\Windows\Fonts\gautami.ttf	winlogon.exe
File opened for modification	C:\Windows\Help\mui\0C0A\netcfg.CHM	winlogon.exe
File opened for modification	C:\Windows\Help\Windows\it-IT\secpriv.h1s	winlogon.exe
File opened for modification	C:\Windows\Cursors\aero_busy_l.ani	winlogon.exe
File opened for modification	C:\Windows\Cursors\up_il.cur	winlogon.exe
File opened for modification	C:\Windows\Help\Windows\it-IT\mreuse.h1s	winlogon.exe
File opened for modification	C:\Windows\inf\UGTHRSVC\0410\gthrctr.ini	winlogon.exe
File opened for modification	C:\Windows\Cursors\wait_rl.cur	winlogon.exe
File opened for modification	C:\Windows\Help\Windows\en-US\artcon5.h1s	winlogon.exe
File opened for modification	C:\Windows\Help\mui\0409\msdasc.chm	winlogon.exe
File opened for modification	C:\Windows\Help\Windows\fr-FR\blutooth.h1s	winlogon.exe
File opened for modification	C:\Windows\Help\Windows\it-IT\artcon5.h1s	winlogon.exe
File opened for modification	C:\Windows\Help\Windows\ja-JP\locate.h1s	winlogon.exe
File opened for modification	C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\ShellUI.MST	winlogon.exe
File opened for modification	C:\Windows\Media\Savanna\Windows Notify.wav	winlogon.exe
File opened for modification	C:\Windows\Fonts\j8514oem.fon	winlogon.exe
File opened for modification	C:\Windows\Fonts\vgas874.fon	winlogon.exe
File opened for modification	C:\Windows\Help\Windows\es-ES\errmes.h1s	winlogon.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\8821b72d5d51079acf96e90c4af19a96\System.Xml.ni.dll	winlogon.exe
File opened for modification	C:\Windows\diagnostics\system\Printer\RS_RestartSpoolerService.ps1	winlogon.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskHostw.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1520	schtasks.exe
2500	schtasks.exe
2316	schtasks.exe
2420	schtasks.exe
2352	schtasks.exe
3052	schtasks.exe
1060	schtasks.exe
1708	schtasks.exe
2956	schtasks.exe
2376	schtasks.exe
2516	schtasks.exe
2328	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2924	Bridgebrokerperf.exe
2924	Bridgebrokerperf.exe
2924	Bridgebrokerperf.exe
580	winlogon.exe
580	winlogon.exe
580	winlogon.exe
580	winlogon.exe
580	winlogon.exe
580	winlogon.exe
580	winlogon.exe
580	winlogon.exe
580	winlogon.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2924	Bridgebrokerperf.exe
Token: SeDebugPrivilege	580	winlogon.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2908	2380	taskHostw.exe	30
PID 2380 wrote to memory of 2908	2380	taskHostw.exe	30
PID 2380 wrote to memory of 2908	2380	taskHostw.exe	30
PID 2380 wrote to memory of 2908	2380	taskHostw.exe	30
PID 2908 wrote to memory of 2776	2908	WScript.exe	31
PID 2908 wrote to memory of 2776	2908	WScript.exe	31
PID 2908 wrote to memory of 2776	2908	WScript.exe	31
PID 2908 wrote to memory of 2776	2908	WScript.exe	31
PID 2776 wrote to memory of 2924	2776	cmd.exe	33
PID 2776 wrote to memory of 2924	2776	cmd.exe	33
PID 2776 wrote to memory of 2924	2776	cmd.exe	33
PID 2776 wrote to memory of 2924	2776	cmd.exe	33
PID 2924 wrote to memory of 2348	2924	Bridgebrokerperf.exe	47
PID 2924 wrote to memory of 2348	2924	Bridgebrokerperf.exe	47
PID 2924 wrote to memory of 2348	2924	Bridgebrokerperf.exe	47
PID 2348 wrote to memory of 936	2348	cmd.exe	49
PID 2348 wrote to memory of 936	2348	cmd.exe	49
PID 2348 wrote to memory of 936	2348	cmd.exe	49
PID 2348 wrote to memory of 580	2348	cmd.exe	50
PID 2348 wrote to memory of 580	2348	cmd.exe	50
PID 2348 wrote to memory of 580	2348	cmd.exe	50

System policy modification 1 TTPs 6 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Bridgebrokerperf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Bridgebrokerperf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Bridgebrokerperf.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\taskHostw.exe
"C:\Users\Admin\AppData\Local\Temp\taskHostw.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\webfontSessionBrokerHost\Ur1NipdNxN.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\webfontSessionBrokerHost\SpdD9zKqJDT3l.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\webfontSessionBrokerHost\Bridgebrokerperf.exe
      "C:\webfontSessionBrokerHost\Bridgebrokerperf.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2924
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sd1ikTBUNS.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2348
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:936
      - C:\Program Files\Windows NT\Accessories\de-DE\winlogon.exe
        
        "C:\Program Files\Windows NT\Accessories\de-DE\winlogon.exe"
        6⤵
        UAC bypass
        Deletes itself
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops desktop.ini file(s)
        Drops autorun.inf file
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\Accessories\de-DE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\TAPI\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\TAPI\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\TAPI\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\27d1bcfc3c54e0

Filesize
966B

MD5
1b0c3b6d027d0b3a74e6b9a528e826fb

SHA1
c9aa8d2e7394fce181500aab2008e51e8aa7ae26

SHA256
c25756eee38bf7e899db9f6f8b0b2cb265a35ca6a75d70bcdce50187e8096e1c

SHA512
6d225fd0c46a22b4c46b130e9b5b19a027a942aa69b1346043c1e84427c2e903b0eba42075023e0c06d89ac6fcf3be83b5629d388c27ea54ffb41cf74a75dce7

Download Submit
C:\Program Files\Windows NT\Accessories\de-DE\cc11b995f2a76d

Filesize
118B

MD5
be7666de303b73c855ead7a6efbe4ad6

SHA1
45cf8f7a4d356631720e54b07f0ed714f46ee771

SHA256
2aae7efa193daede452aa08547ed87ddfeb71f4f399e205dfc78505e8d34f0e7

SHA512
5f093d49b7d4342f97053305c1a05659f8e48897bd1c17378ecb7aa588c83e4511b53a31653c3215e8ea3ac467d19b7cd923518a8e436f14eaed93060be8c37c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sd1ikTBUNS.bat

Filesize
223B

MD5
29d872559c61dae6a80cb3284afa58d1

SHA1
f281ab0021c255105808a29ce09a8b78c09abca6

SHA256
c2fba60f51137393cdf249934fb2d97e765aeaf9087ef8f4f9b1df187287c115

SHA512
bfabc51615832e8099895ebcc7709e5e4902f8a389751c17562c5db1ebfa4dce8a212107031048f9b755793bd7684934f5f2e9b0c1864af59ffdac551f1471e6

Download Submit
C:\Users\Default\69ddcba757bf72

Filesize
654B

MD5
1a0f86078f0cc8c8f27c3934369bde3e

SHA1
4c885dc3a9ea60dacd9c32cc3f1455c78aa8fd7a

SHA256
150ff91ced8c09b9d1276712353d4236cd66b2c91255ee11cb6e7671e25315d9

SHA512
93f47f7c2ac7a342645a1f49265e32271de648be8f317b7b1968c2acaaac7264582aed21729c607b6dabd2779972d4c5d5f7f3c3db51dca9fbfd4c0c4c833492

Download Submit
C:\webfontSessionBrokerHost\SpdD9zKqJDT3l.bat

Filesize
50B

MD5
37e781c64e1e5057220cc587925258d4

SHA1
3cd34c35d3d528b8ec2952d6c616cc3896b2dc66

SHA256
24510bbfd8f20c029b17d88853e82dbc2d2637b52dc76be8ceebf57243cac344

SHA512
3fa6c68ea554401af69bdf21061b17d9c068a2e7f42b2901c4a3e18d14aae7b52706fd24edc2f2da06db806a8b3d00dbdbfe3b963d72945af0801c8c3c9840ba

Download Submit
C:\webfontSessionBrokerHost\Ur1NipdNxN.vbe

Filesize
215B

MD5
56f8dfb763248f67943afcc431c9a28c

SHA1
b31a8e990b3971d27bbb0ff1c9bcff6fbaf33211

SHA256
db5202acf3a53d23f14faa846e27c2415cb33c26b5ac151a298209a0e7a1e4ac

SHA512
c0a81de45024a042abfc5876f3fde486b2ae809ac2d5ff099cd2d288ba863b0bff86cf4d6fda335a7eb40a2c26218e3ffb417d20b7167c9dd54be4b74e921b6b

Download Submit
\webfontSessionBrokerHost\Bridgebrokerperf.exe

Filesize
865KB

MD5
1465b464ff78a41cf8af12d58ca62588

SHA1
9c4904b19b2b111c9c96cb0aba28aa3413b54c83

SHA256
485228dc5bfeb7694133fd50861f0c48f314003f8ee1030db3d063d07930bd3a

SHA512
c609086d161150a3754240aab9f76904a221314374b7b5c373bd9548bce6ec1cce509564523c9b8b2a16710f8ecbe558dd7b8f62adecc2007fe83320a19bdb0b

Download Submit
memory/580-30-0x00000000000F0000-0x00000000001D0000-memory.dmp

Filesize
896KB

Download
memory/2924-13-0x0000000000C90000-0x0000000000D70000-memory.dmp

Filesize
896KB

Download
memory/2924-14-0x00000000001C0000-0x00000000001CA000-memory.dmp

Filesize
40KB

Download