dcrat | 2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728

Analysis

max time kernel
22s
max time network
151s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
03-02-2025 03:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Size

1.8MB
MD5

fcd38cbaa3982793517697bf89f666cc
SHA1

c345ceffabb9decaaa1e7a4f9582313401cbd589
SHA256

2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728
SHA512

8c5b64aa64dbc494e413b4e83b21c4f9bb0e3dd684a601c4faf1896e2f7d13cdb0885405b17839390358f823f4d61ea608b14f14e3f98d52a03778be64df0b9d
SSDEEP

24576:QNHIUS4ZU8NigrQ1JKwsy3CL3sZb2W2LimA2putPYrrJUHJZ5HwhJ5Ji2aaf1kWT:oII8LFCL3sZqd204AKHFgTI2aU1kW

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\en-US\\WmiPrvSE.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\en-US\\WmiPrvSE.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\Idle.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\en-US\\WmiPrvSE.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\Idle.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\OSPPSVC.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\en-US\\WmiPrvSE.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\Idle.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\taskhost.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\en-US\\WmiPrvSE.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\Idle.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\OSPPSVC.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\en-US\\WmiPrvSE.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\Idle.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\OSPPSVC.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	3020	schtasks.exe	29

Executes dropped EXE 1 IoCs

pid	Process
2260	Idle.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\PolicyDefinitions\\en-US\\WmiPrvSE.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\Idle.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\taskhost.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\PolicyDefinitions\\en-US\\WmiPrvSE.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\OSPPSVC.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\OSPPSVC.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\taskhost.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\Idle.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\hi5-9c.exe	csc.exe
File created	\??\c:\Windows\System32\CSC62D051068DB84589A2C953A458FC55B.TMP	csc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\PolicyDefinitions\en-US\WmiPrvSE.exe	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
File created	C:\Windows\PolicyDefinitions\en-US\24dbde2999530e	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
840	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
840	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
928	schtasks.exe
2980	schtasks.exe
2028	schtasks.exe
1708	schtasks.exe
1188	schtasks.exe
2952	schtasks.exe
1324	schtasks.exe
1780	schtasks.exe
2668	schtasks.exe
1852	schtasks.exe
2968	schtasks.exe
1560	schtasks.exe
2336	schtasks.exe
1920	schtasks.exe
2132	schtasks.exe
1588	schtasks.exe
2716	schtasks.exe
2780	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Token: SeDebugPrivilege	2260	Idle.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2736	2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe	33
PID 2604 wrote to memory of 2736	2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe	33
PID 2604 wrote to memory of 2736	2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe	33
PID 2736 wrote to memory of 2724	2736	csc.exe	35
PID 2736 wrote to memory of 2724	2736	csc.exe	35
PID 2736 wrote to memory of 2724	2736	csc.exe	35
PID 2604 wrote to memory of 2860	2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe	51
PID 2604 wrote to memory of 2860	2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe	51
PID 2604 wrote to memory of 2860	2604	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe	51
PID 2860 wrote to memory of 2204	2860	cmd.exe	53
PID 2860 wrote to memory of 2204	2860	cmd.exe	53
PID 2860 wrote to memory of 2204	2860	cmd.exe	53
PID 2860 wrote to memory of 840	2860	cmd.exe	54
PID 2860 wrote to memory of 840	2860	cmd.exe	54
PID 2860 wrote to memory of 840	2860	cmd.exe	54
PID 2860 wrote to memory of 2260	2860	cmd.exe	55
PID 2860 wrote to memory of 2260	2860	cmd.exe	55
PID 2860 wrote to memory of 2260	2860	cmd.exe	55

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
"C:\Users\Admin\AppData\Local\Temp\2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tw42lxwb\tw42lxwb.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES85E2.tmp" "c:\Windows\System32\CSC62D051068DB84589A2C953A458FC55B.TMP"
    3⤵
    PID:2724
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hWuhziRgfe.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2204
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:840
- - C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe
    "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Windows\PolicyDefinitions\en-US\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\en-US\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\PolicyDefinitions\en-US\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb7282" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb7282" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES85E2.tmp

Filesize
1KB

MD5
edcf56f03caef7911cfbca9c69a6fc10

SHA1
7a768ef0ddd6ac587f57f213435e64522ca12c48

SHA256
74e337c55b8658b358df11f01565cb13047c830324fa109f7f6efa5c499e8fb8

SHA512
b21c3ce2e905bd65fb802328f1a15d248c2742635051ba9fbb034821896bcc8caba0fe20b4fa03e49eeb1efa275dd2bba630f844e991d8e544997348f22c9568

Download Submit
C:\Users\Admin\AppData\Local\Temp\hWuhziRgfe.bat

Filesize
185B

MD5
d712da0c9d5c921e7d7d591125b093ed

SHA1
78f63cde88f3fdea2f631fd825294921caacb0aa

SHA256
0b50a83da4e546546d2fd9aea91ede668f143c095ba0aa26fc874c91b7932c10

SHA512
e5b2204c8859f85d8bb0bcb965571148a225e0240ebde188f15853f0a198fd3bbc9d220aac690e8e76907e3e95eb89db5e8f0336a4a82f7594ad9d94fb4db414

Download Submit
C:\Windows\PolicyDefinitions\en-US\WmiPrvSE.exe

Filesize
1.8MB

MD5
fcd38cbaa3982793517697bf89f666cc

SHA1
c345ceffabb9decaaa1e7a4f9582313401cbd589

SHA256
2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728

SHA512
8c5b64aa64dbc494e413b4e83b21c4f9bb0e3dd684a601c4faf1896e2f7d13cdb0885405b17839390358f823f4d61ea608b14f14e3f98d52a03778be64df0b9d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tw42lxwb\tw42lxwb.0.cs

Filesize
379B

MD5
14af616cf191c37335903a2762141eda

SHA1
3ce384ff14df750cc695fd1b16829329d4410407

SHA256
70f699b82ff4c20bf725e97fafa20e068e07254ca7ee71ad2092f8e1e5c65548

SHA512
06820b6e33ce18f47311db3a3d7813469b7c83172e2a2b86912a1543a603e0794be2deac15a751d4c1be69604ee17eac62ae85b730468b0ec7d8f8370fd65f9c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tw42lxwb\tw42lxwb.cmdline

Filesize
235B

MD5
31ecf5950016f1fc78f4b5e9b2dbb4ed

SHA1
e6397f2e894c5fa972aac54c1e0d9dc89ece10e6

SHA256
87edcb7934121abc6eda5bd193a7cbde16a8d60c63864119c0f6253142551bc1

SHA512
8c60fc3cc247763bfe0ae7a1a3a03097a02449802e1f9b4c381a6714e1c3b9e9a66bafe6dfe66136a1eb1e52bdc11ed885f6e4db5033a4763debd41f4a1bd0e8

Download Submit
\??\c:\Windows\System32\CSC62D051068DB84589A2C953A458FC55B.TMP

Filesize
1KB

MD5
60a1ebb8f840aad127346a607d80fc19

SHA1
c8b7e9ad601ac19ab90b3e36f811960e8badf354

SHA256
9d6a9d38b7a86cc88e551a0c1172a3fb387b1a5f928ac13993ec3387d39cc243

SHA512
44830cefb264bac520174b4b884312dd0393be33a193d4f0fee3cc3c14deb86ca39e43ef281232f9169fd204d19b22e8a7aad72fa448ca52d5cbc3ee1dbb18a4

Download Submit
memory/2260-49-0x0000000000F40000-0x000000000111A000-memory.dmp

Filesize
1.9MB

Download
memory/2604-6-0x0000000000370000-0x000000000037E000-memory.dmp

Filesize
56KB

Download
memory/2604-8-0x00000000003A0000-0x00000000003BC000-memory.dmp

Filesize
112KB

Download
memory/2604-12-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2604-14-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/2604-16-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2604-15-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2604-18-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2604-11-0x00000000003C0000-0x00000000003D8000-memory.dmp

Filesize
96KB

Download
memory/2604-9-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2604-0-0x000007FEF6253000-0x000007FEF6254000-memory.dmp

Filesize
4KB

Download
memory/2604-4-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2604-3-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2604-2-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2604-46-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2604-1-0x0000000000860000-0x0000000000A3A000-memory.dmp

Filesize
1.9MB

Download