dcrat | 2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2025 03:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Size

1.8MB
MD5

fcd38cbaa3982793517697bf89f666cc
SHA1

c345ceffabb9decaaa1e7a4f9582313401cbd589
SHA256

2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728
SHA512

8c5b64aa64dbc494e413b4e83b21c4f9bb0e3dd684a601c4faf1896e2f7d13cdb0885405b17839390358f823f4d61ea608b14f14e3f98d52a03778be64df0b9d
SSDEEP

24576:QNHIUS4ZU8NigrQ1JKwsy3CL3sZb2W2LimA2putPYrrJUHJZ5HwhJ5Ji2aaf1kWT:oII8LFCL3sZqd204AKHFgTI2aU1kW

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\dllhost.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\smss.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\smss.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\fontdrvhost.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\smss.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\en-US\\TextInputHost.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\smss.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\en-US\\TextInputHost.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\backgroundTaskHost.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\smss.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\en-US\\TextInputHost.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4360	3100	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	3100	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3872	3100	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	3100	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	3100	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	3100	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	3100	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	3100	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	3100	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	3100	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3660	3100	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	3100	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	3100	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	3100	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	3100	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	3100	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	3100	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	3100	schtasks.exe	86

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe

Executes dropped EXE 1 IoCs

pid	Process
1564	dllhost.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Default User\\dllhost.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Google\\Temp\\smss.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Windows Sidebar\\fontdrvhost.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files\\Windows Photo Viewer\\en-US\\TextInputHost.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\backgroundTaskHost.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\backgroundTaskHost.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Default User\\dllhost.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Windows Sidebar\\fontdrvhost.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files\\Windows Photo Viewer\\en-US\\TextInputHost.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Google\\Temp\\smss.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC5015FD0BDB6F40C8BAC7A47AA95CFF3.TMP	csc.exe
File created	\??\c:\Windows\System32\1mirkm.exe	csc.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\en-US\TextInputHost.exe	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
File created	C:\Program Files (x86)\Windows Sidebar\fontdrvhost.exe	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
File created	C:\Program Files (x86)\Google\Temp\69ddcba757bf72	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\backgroundTaskHost.exe	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\eddb19405b7ce1	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\22eafd247d37c3	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
File created	C:\Program Files (x86)\Windows Sidebar\5b884080fd4f94	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
File created	C:\Program Files (x86)\Google\Temp\smss.exe	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\backgroundTaskHost.exe	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1528	PING.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1528	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2092	schtasks.exe
2648	schtasks.exe
4872	schtasks.exe
4552	schtasks.exe
4624	schtasks.exe
2276	schtasks.exe
2152	schtasks.exe
4264	schtasks.exe
924	schtasks.exe
4896	schtasks.exe
4360	schtasks.exe
3872	schtasks.exe
4784	schtasks.exe
4892	schtasks.exe
3660	schtasks.exe
4972	schtasks.exe
1164	schtasks.exe
3024	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1564	dllhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Token: SeDebugPrivilege	1564	dllhost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 3460	4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe	90
PID 4904 wrote to memory of 3460	4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe	90
PID 3460 wrote to memory of 2740	3460	csc.exe	92
PID 3460 wrote to memory of 2740	3460	csc.exe	92
PID 4904 wrote to memory of 4996	4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe	108
PID 4904 wrote to memory of 4996	4904	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe	108
PID 4996 wrote to memory of 3988	4996	cmd.exe	110
PID 4996 wrote to memory of 3988	4996	cmd.exe	110
PID 4996 wrote to memory of 1528	4996	cmd.exe	111
PID 4996 wrote to memory of 1528	4996	cmd.exe	111
PID 4996 wrote to memory of 1564	4996	cmd.exe	114
PID 4996 wrote to memory of 1564	4996	cmd.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
"C:\Users\Admin\AppData\Local\Temp\2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tygw3qfp\tygw3qfp.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3460
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8220.tmp" "c:\Windows\System32\CSC5015FD0BDB6F40C8BAC7A47AA95CFF3.TMP"
    3⤵
    PID:2740
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bU6Z4eZ1nx.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3988
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1528
- - C:\Users\Default User\dllhost.exe
    "C:\Users\Default User\dllhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Temp\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Temp\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\en-US\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\en-US\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb7282" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb7282" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8220.tmp

Filesize
1KB

MD5
012349eb88c030d2da14c31e824e1618

SHA1
4ed942059a1bb8e72417c30e338d84b0613eb4a9

SHA256
61e271e8a0abd1ae5576b52352ad397598fcfc625a9420df685813f3f28cc409

SHA512
f0d19dba3b6251ca597369ccc8fedad84ce09671425c78c927b722073058bc0289b7b52ba5b14496817c593a670504e8ee35e0739f38af20d4553b81bafb330d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bU6Z4eZ1nx.bat

Filesize
161B

MD5
2ad011db5e9f961505d726d1de1451f1

SHA1
17c91302d8c7a8ce2bacdb6bf1a120d8a2f95689

SHA256
abdc5606377d79d17d1229e85a9be7fc748a7b9faaf8a1f65a167202cbe75479

SHA512
304b644b4a6fde6dba2d215b20a048c5999fe6badf124c2deeaf8c8b04afa3284e8208a84b4d25bfea02a4efe8ca738b5ffd4ef4e6dbe00d291d206241e6aa40

Download Submit
C:\Users\Default\dllhost.exe

Filesize
1.8MB

MD5
fcd38cbaa3982793517697bf89f666cc

SHA1
c345ceffabb9decaaa1e7a4f9582313401cbd589

SHA256
2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728

SHA512
8c5b64aa64dbc494e413b4e83b21c4f9bb0e3dd684a601c4faf1896e2f7d13cdb0885405b17839390358f823f4d61ea608b14f14e3f98d52a03778be64df0b9d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tygw3qfp\tygw3qfp.0.cs

Filesize
365B

MD5
94e97f9890e0b9d361a492f02de1adcd

SHA1
e1e7414f6c1e3f9e15467761bdcafcdd8f924676

SHA256
316ba22d15e75fe8a543afe069a3a2c5cbac70330042c3aa8c7b57196b0d420b

SHA512
4e3fafab8228aa1b27fc5132bf7c4e10c40fa9eb63b580c298a6468e6ef8efcc3c37a0551586c54dfebd0a3ae180d1ea6a6151970b318753da454c23c17de53c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tygw3qfp\tygw3qfp.cmdline

Filesize
235B

MD5
8bb8a31cb509c5a72dd5f5d2a5093990

SHA1
6200678139e1fdb59a3cf076c553770beae29a99

SHA256
a8de2e6e6e3a6c7981e15602ed6e3012ea933d5908af94351a922c72edb44576

SHA512
b8105e9b5cf6bd3ac06b0448abe08475a8e47dab0e411acd0889317e573eaec78b70f49495fa120e016af2d899f1bed575614ea0c7b429c99511f0052dd666b4

Download Submit
\??\c:\Windows\System32\CSC5015FD0BDB6F40C8BAC7A47AA95CFF3.TMP

Filesize
1KB

MD5
63dccfbcf5aba924ef5ebcbd2e0a0be4

SHA1
5e7dffbe92be4bb13d57ad76f4ae647fac591097

SHA256
897a3e81ae434a8b737a8ccb59ff24479f8ecfbec18ce165afce3beda4a40dbe

SHA512
9a3035de25fce4f51c26961e800c3efbe462c69d44005edd7abc06cd901bd24e935c14c745ff786f2d8fd00f174bf8d0c479321e9eb4427740223639b09d4202

Download Submit
memory/1564-60-0x000000001B690000-0x000000001B6FB000-memory.dmp

Filesize
428KB

Download
memory/4904-7-0x00007FFF0AF20000-0x00007FFF0B9E1000-memory.dmp

Filesize
10.8MB

Download
memory/4904-24-0x00007FFF0AF20000-0x00007FFF0B9E1000-memory.dmp

Filesize
10.8MB

Download
memory/4904-16-0x00000000024E0000-0x00000000024EC000-memory.dmp

Filesize
48KB

Download
memory/4904-13-0x0000000002690000-0x00000000026A8000-memory.dmp

Filesize
96KB

Download
memory/4904-11-0x000000001B130000-0x000000001B180000-memory.dmp

Filesize
320KB

Download
memory/4904-8-0x00007FFF0AF20000-0x00007FFF0B9E1000-memory.dmp

Filesize
10.8MB

Download
memory/4904-17-0x00007FFF0AF20000-0x00007FFF0B9E1000-memory.dmp

Filesize
10.8MB

Download
memory/4904-18-0x00007FFF0AF20000-0x00007FFF0B9E1000-memory.dmp

Filesize
10.8MB

Download
memory/4904-20-0x00007FFF0AF20000-0x00007FFF0B9E1000-memory.dmp

Filesize
10.8MB

Download
memory/4904-14-0x00007FFF0AF20000-0x00007FFF0B9E1000-memory.dmp

Filesize
10.8MB

Download
memory/4904-10-0x0000000002670000-0x000000000268C000-memory.dmp

Filesize
112KB

Download
memory/4904-0-0x00007FFF0AF23000-0x00007FFF0AF25000-memory.dmp

Filesize
8KB

Download
memory/4904-6-0x00000000024D0000-0x00000000024DE000-memory.dmp

Filesize
56KB

Download
memory/4904-47-0x00007FFF0AF20000-0x00007FFF0B9E1000-memory.dmp

Filesize
10.8MB

Download
memory/4904-50-0x000000001B6E0000-0x000000001B74B000-memory.dmp

Filesize
428KB

Download
memory/4904-51-0x00007FFF0AF20000-0x00007FFF0B9E1000-memory.dmp

Filesize
10.8MB

Download
memory/4904-4-0x00007FFF0AF20000-0x00007FFF0B9E1000-memory.dmp

Filesize
10.8MB

Download
memory/4904-3-0x00007FFF0AF20000-0x00007FFF0B9E1000-memory.dmp

Filesize
10.8MB

Download
memory/4904-2-0x00007FFF0AF20000-0x00007FFF0B9E1000-memory.dmp

Filesize
10.8MB

Download
memory/4904-1-0x0000000000140000-0x000000000031A000-memory.dmp

Filesize
1.9MB

Download