dcrat | 2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253

Analysis

max time kernel
121s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/01/2025, 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51ee1c43b8c4c83a1ee89f486a002e8a.exe
Size

1.9MB
MD5

51ee1c43b8c4c83a1ee89f486a002e8a
SHA1

ac3559b85e9f8328fc661c4f7dc17d464aa461fa
SHA256

2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253
SHA512

3191012d5078beb815ff733c3981545858a30e5051ffbbb7b4bb1dff5bab82004809a0d407af0d8312b241c05738591d7a83ce2e01e0c9b2e8f9d325ca9649d6
SSDEEP

49152:SIsY+oZb+wZGTt6IDmYYg+tfxXi1Mq39V:SIg6IDatJXbM9V

Score

10^/10

dcrat execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\audiodg.exe\""	51ee1c43b8c4c83a1ee89f486a002e8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\audiodg.exe\", \"C:\\Windows\\Setup\\Idle.exe\""	51ee1c43b8c4c83a1ee89f486a002e8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\audiodg.exe\", \"C:\\Windows\\Setup\\Idle.exe\", \"C:\\Program Files\\Windows Sidebar\\csrss.exe\""	51ee1c43b8c4c83a1ee89f486a002e8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\audiodg.exe\", \"C:\\Windows\\Setup\\Idle.exe\", \"C:\\Program Files\\Windows Sidebar\\csrss.exe\", \"C:\\Users\\Admin\\AppData\\dllhost.exe\""	51ee1c43b8c4c83a1ee89f486a002e8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\audiodg.exe\", \"C:\\Windows\\Setup\\Idle.exe\", \"C:\\Program Files\\Windows Sidebar\\csrss.exe\", \"C:\\Users\\Admin\\AppData\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\51ee1c43b8c4c83a1ee89f486a002e8a.exe\""	51ee1c43b8c4c83a1ee89f486a002e8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\audiodg.exe\""	51ee1c43b8c4c83a1ee89f486a002e8a.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2888	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2888	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2888	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2888	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2888	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2888	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2888	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	2888	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	2888	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2888	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2888	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2888	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2888	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2888	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2888	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2888	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2888	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2888	schtasks.exe	31

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1596	powershell.exe
2240	powershell.exe
1100	powershell.exe
1772	powershell.exe
2268	powershell.exe
2344	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1364	Idle.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\Default User\\audiodg.exe\""	51ee1c43b8c4c83a1ee89f486a002e8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files (x86)\\Windows Sidebar\\audiodg.exe\""	51ee1c43b8c4c83a1ee89f486a002e8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Sidebar\\csrss.exe\""	51ee1c43b8c4c83a1ee89f486a002e8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Admin\\AppData\\dllhost.exe\""	51ee1c43b8c4c83a1ee89f486a002e8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\51ee1c43b8c4c83a1ee89f486a002e8a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\51ee1c43b8c4c83a1ee89f486a002e8a.exe\""	51ee1c43b8c4c83a1ee89f486a002e8a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\Default User\\audiodg.exe\""	51ee1c43b8c4c83a1ee89f486a002e8a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files (x86)\\Windows Sidebar\\audiodg.exe\""	51ee1c43b8c4c83a1ee89f486a002e8a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Setup\\Idle.exe\""	51ee1c43b8c4c83a1ee89f486a002e8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Setup\\Idle.exe\""	51ee1c43b8c4c83a1ee89f486a002e8a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Sidebar\\csrss.exe\""	51ee1c43b8c4c83a1ee89f486a002e8a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Admin\\AppData\\dllhost.exe\""	51ee1c43b8c4c83a1ee89f486a002e8a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\51ee1c43b8c4c83a1ee89f486a002e8a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\51ee1c43b8c4c83a1ee89f486a002e8a.exe\""	51ee1c43b8c4c83a1ee89f486a002e8a.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ipinfo.io
12	ipinfo.io
13	ipinfo.io
4	ipinfo.io

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCDEDAB071B0F64DE09691ADF5636D8BE.TMP	csc.exe
File created	\??\c:\Windows\System32\wa0wg5.exe	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\886983d96e3d3e	51ee1c43b8c4c83a1ee89f486a002e8a.exe
File created	C:\Program Files (x86)\Windows Sidebar\audiodg.exe	51ee1c43b8c4c83a1ee89f486a002e8a.exe
File created	C:\Program Files (x86)\Windows Sidebar\42af1c969fbb7b	51ee1c43b8c4c83a1ee89f486a002e8a.exe
File created	C:\Program Files\Windows Sidebar\csrss.exe	51ee1c43b8c4c83a1ee89f486a002e8a.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Setup\Idle.exe	51ee1c43b8c4c83a1ee89f486a002e8a.exe
File created	C:\Windows\Setup\6ccacd8608530f	51ee1c43b8c4c83a1ee89f486a002e8a.exe

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	51ee1c43b8c4c83a1ee89f486a002e8a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	51ee1c43b8c4c83a1ee89f486a002e8a.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2868	schtasks.exe
264	schtasks.exe
2000	schtasks.exe
1600	schtasks.exe
2064	schtasks.exe
2104	schtasks.exe
2796	schtasks.exe
1524	schtasks.exe
2720	schtasks.exe
2612	schtasks.exe
2900	schtasks.exe
1188	schtasks.exe
2188	schtasks.exe
2620	schtasks.exe
2928	schtasks.exe
1196	schtasks.exe
1036	schtasks.exe
1604	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
628	51ee1c43b8c4c83a1ee89f486a002e8a.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	628	51ee1c43b8c4c83a1ee89f486a002e8a.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	1364	Idle.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 3032	628	51ee1c43b8c4c83a1ee89f486a002e8a.exe	35
PID 628 wrote to memory of 3032	628	51ee1c43b8c4c83a1ee89f486a002e8a.exe	35
PID 628 wrote to memory of 3032	628	51ee1c43b8c4c83a1ee89f486a002e8a.exe	35
PID 3032 wrote to memory of 1776	3032	csc.exe	37
PID 3032 wrote to memory of 1776	3032	csc.exe	37
PID 3032 wrote to memory of 1776	3032	csc.exe	37
PID 628 wrote to memory of 2268	628	51ee1c43b8c4c83a1ee89f486a002e8a.exe	53
PID 628 wrote to memory of 2268	628	51ee1c43b8c4c83a1ee89f486a002e8a.exe	53
PID 628 wrote to memory of 2268	628	51ee1c43b8c4c83a1ee89f486a002e8a.exe	53
PID 628 wrote to memory of 2344	628	51ee1c43b8c4c83a1ee89f486a002e8a.exe	54
PID 628 wrote to memory of 2344	628	51ee1c43b8c4c83a1ee89f486a002e8a.exe	54
PID 628 wrote to memory of 2344	628	51ee1c43b8c4c83a1ee89f486a002e8a.exe	54
PID 628 wrote to memory of 1772	628	51ee1c43b8c4c83a1ee89f486a002e8a.exe	55
PID 628 wrote to memory of 1772	628	51ee1c43b8c4c83a1ee89f486a002e8a.exe	55
PID 628 wrote to memory of 1772	628	51ee1c43b8c4c83a1ee89f486a002e8a.exe	55
PID 628 wrote to memory of 1100	628	51ee1c43b8c4c83a1ee89f486a002e8a.exe	57
PID 628 wrote to memory of 1100	628	51ee1c43b8c4c83a1ee89f486a002e8a.exe	57
PID 628 wrote to memory of 1100	628	51ee1c43b8c4c83a1ee89f486a002e8a.exe	57
PID 628 wrote to memory of 2240	628	51ee1c43b8c4c83a1ee89f486a002e8a.exe	60
PID 628 wrote to memory of 2240	628	51ee1c43b8c4c83a1ee89f486a002e8a.exe	60
PID 628 wrote to memory of 2240	628	51ee1c43b8c4c83a1ee89f486a002e8a.exe	60
PID 628 wrote to memory of 1596	628	51ee1c43b8c4c83a1ee89f486a002e8a.exe	62
PID 628 wrote to memory of 1596	628	51ee1c43b8c4c83a1ee89f486a002e8a.exe	62
PID 628 wrote to memory of 1596	628	51ee1c43b8c4c83a1ee89f486a002e8a.exe	62
PID 628 wrote to memory of 2024	628	51ee1c43b8c4c83a1ee89f486a002e8a.exe	65
PID 628 wrote to memory of 2024	628	51ee1c43b8c4c83a1ee89f486a002e8a.exe	65
PID 628 wrote to memory of 2024	628	51ee1c43b8c4c83a1ee89f486a002e8a.exe	65
PID 2024 wrote to memory of 1416	2024	cmd.exe	67
PID 2024 wrote to memory of 1416	2024	cmd.exe	67
PID 2024 wrote to memory of 1416	2024	cmd.exe	67
PID 2024 wrote to memory of 896	2024	cmd.exe	68
PID 2024 wrote to memory of 896	2024	cmd.exe	68
PID 2024 wrote to memory of 896	2024	cmd.exe	68
PID 2024 wrote to memory of 1364	2024	cmd.exe	69
PID 2024 wrote to memory of 1364	2024	cmd.exe	69
PID 2024 wrote to memory of 1364	2024	cmd.exe	69

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\51ee1c43b8c4c83a1ee89f486a002e8a.exe
"C:\Users\Admin\AppData\Local\Temp\51ee1c43b8c4c83a1ee89f486a002e8a.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qxtgffdb\qxtgffdb.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE60B.tmp" "c:\Windows\System32\CSCDEDAB071B0F64DE09691ADF5636D8BE.TMP"
    3⤵
    PID:1776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\51ee1c43b8c4c83a1ee89f486a002e8a.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r4rizFZOU7.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1416
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:896
- - C:\Windows\Setup\Idle.exe
    "C:\Windows\Setup\Idle.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\Setup\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Setup\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\Setup\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\AppData\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "51ee1c43b8c4c83a1ee89f486a002e8a5" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\51ee1c43b8c4c83a1ee89f486a002e8a.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "51ee1c43b8c4c83a1ee89f486a002e8a" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\51ee1c43b8c4c83a1ee89f486a002e8a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "51ee1c43b8c4c83a1ee89f486a002e8a5" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\51ee1c43b8c4c83a1ee89f486a002e8a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE60B.tmp

Filesize
1KB

MD5
8e4aefa079f5292f6ac30954830a5eb0

SHA1
7cc247720ade3256d835c08b3db0153990e1dfec

SHA256
c4357308c78ef68572b068d68facff8ac6e37da51f357324a40f05ee0da08096

SHA512
14c9ea30d9d98d8ef7281f0fc91a10e43b6199f20a16fa084bdc5989c6ab16c6637c586349eedc2f523efbb789c60893ca4345d69c09bebec9f3b9b38d101fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\r4rizFZOU7.bat

Filesize
201B

MD5
27d0b5229146d95fb16032266d06adc9

SHA1
30152ac8a3e48384b5ea6233643645df241aec89

SHA256
ce2e4e1c24f624d59a5ae109e22745407d0fe7a749f44ed829a9afc7c6a8f57c

SHA512
df712ebf91c92ecef278a5f294da0a48bf2c612dac5b6a428fd1da3c0d5b43060baa06611f8bdb356623c28ea4bf46dbef65985c987384db6584777a8a69c1e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6d7b261fe79ac8ce6930fe492a312ba8

SHA1
a4ed9e41d92285d46dfc260627e3b2035ea365f7

SHA256
0788294f9b647f7342f5387d65380e7b955919f4bea084cbbf17dee655d78105

SHA512
b10d4a57ae56f464b8a34cc31083ddc9f03cf15a7f50d3ac3bd1e952aee218ebac2d8b9b94fd3ec6da777b81d3857c3d762810e14e91d1939c0a14be7c324b61

Download Submit
C:\Users\Default\audiodg.exe

Filesize
1.9MB

MD5
51ee1c43b8c4c83a1ee89f486a002e8a

SHA1
ac3559b85e9f8328fc661c4f7dc17d464aa461fa

SHA256
2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253

SHA512
3191012d5078beb815ff733c3981545858a30e5051ffbbb7b4bb1dff5bab82004809a0d407af0d8312b241c05738591d7a83ce2e01e0c9b2e8f9d325ca9649d6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qxtgffdb\qxtgffdb.0.cs

Filesize
365B

MD5
68c3a3838b33acb4afbdca44a1ae8009

SHA1
dcd4a944b27c31e013a7b1f2acc623da9b13348e

SHA256
8beb67b7d15a6684a450a40453943ea89b95e50cc51f05dc4b8c8dca63e81e24

SHA512
144439322fa15372eb4963a7bad46af0b75afb2f51373be88e25dc6f2be97de661952c3a789d25d2981ef7dcc86347d099245a76f3220cb486059aa5b8e559b6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qxtgffdb\qxtgffdb.cmdline

Filesize
235B

MD5
114554d05044eb27154ce1db7f0284b6

SHA1
f87e786090db9a26be57785fb1b20a5d0239a5fd

SHA256
17552327528ff3fbcf24f71bc568420bcac76d983f532a89b1da09fcd3d2f4c3

SHA512
2d91d1035c59b19a707bf5a39603e96aa78b5ad9a2e4a1c723a3f3f0349f00615cd7cccff0aea66ab4f6821f0b2369f705a2c7898018388267849b0b1cb0a75a

Download Submit
\??\c:\Windows\System32\CSCDEDAB071B0F64DE09691ADF5636D8BE.TMP

Filesize
1KB

MD5
b74f131aab310dc6e37b43e729c24199

SHA1
bade4cf35d7e80e79880396c1fdd518d9ab78bdf

SHA256
5fdff2a34cc18e36619ff327b292a8255286dc102d85074b7fc625ccbdbe1858

SHA512
733cb12c94d0a8bedc9a38c073dff2fc46553854d7e835767aaa749b4754beef77fa3bc8232eab21c92bc808c08b150cafe5c035bb33d82292fbf76fec55d885

Download Submit
memory/628-13-0x0000000000530000-0x000000000053E000-memory.dmp

Filesize
56KB

Download
memory/628-34-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/628-10-0x0000000000570000-0x0000000000588000-memory.dmp

Filesize
96KB

Download
memory/628-15-0x0000000000540000-0x0000000000548000-memory.dmp

Filesize
32KB

Download
memory/628-17-0x0000000000590000-0x000000000059C000-memory.dmp

Filesize
48KB

Download
memory/628-18-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/628-0-0x000007FEF5D53000-0x000007FEF5D54000-memory.dmp

Filesize
4KB

Download
memory/628-30-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/628-31-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/628-32-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/628-33-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/628-11-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/628-8-0x0000000000550000-0x000000000056C000-memory.dmp

Filesize
112KB

Download
memory/628-6-0x0000000000520000-0x000000000052E000-memory.dmp

Filesize
56KB

Download
memory/628-4-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/628-3-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/628-47-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/628-2-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/628-1-0x0000000000DD0000-0x0000000000FB8000-memory.dmp

Filesize
1.9MB

Download
memory/628-56-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/1364-87-0x00000000008F0000-0x0000000000AD8000-memory.dmp

Filesize
1.9MB

Download
memory/2268-58-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2268-59-0x0000000002730000-0x0000000002738000-memory.dmp

Filesize
32KB

Download