dcrat | 2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728

Analysis

max time kernel
94s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2025 03:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Size

1.8MB
MD5

fcd38cbaa3982793517697bf89f666cc
SHA1

c345ceffabb9decaaa1e7a4f9582313401cbd589
SHA256

2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728
SHA512

8c5b64aa64dbc494e413b4e83b21c4f9bb0e3dd684a601c4faf1896e2f7d13cdb0885405b17839390358f823f4d61ea608b14f14e3f98d52a03778be64df0b9d
SSDEEP

24576:QNHIUS4ZU8NigrQ1JKwsy3CL3sZb2W2LimA2putPYrrJUHJZ5HwhJ5Ji2aaf1kWT:oII8LFCL3sZqd204AKHFgTI2aU1kW

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\winlogon.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\OfficeClickToRun.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Users\\All Users\\Oracle\\Java\\winlogon.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Users\\All Users\\Oracle\\Java\\winlogon.exe\", \"C:\\Users\\Default User\\lsass.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Users\\All Users\\Oracle\\Java\\winlogon.exe\", \"C:\\Users\\Default User\\lsass.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	3584	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	3584	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	3584	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4132	3584	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3416	3584	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	3584	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	3584	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	3584	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	3584	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	3584	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3252	3584	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3084	3584	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	3584	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	3584	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	3584	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	3584	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	3584	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3092	3584	schtasks.exe	85

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Control Panel\International\Geo\Nation	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe

Executes dropped EXE 1 IoCs

pid	Process
4656	winlogon.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\OfficeClickToRun.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Default User\\lsass.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Default User\\lsass.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\WindowsRE\\winlogon.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\WindowsRE\\winlogon.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\OfficeClickToRun.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\All Users\\Oracle\\Java\\winlogon.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\All Users\\Oracle\\Java\\winlogon.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe\""	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC4E7FFFD861D548D3AEDDDD6067BE397B.TMP	csc.exe
File created	\??\c:\Windows\System32\u1u3f5.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\OfficeClickToRun.exe	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\e6c9b481da804f	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3948	PING.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000_Classes\Local Settings	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3948	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4640	schtasks.exe
4336	schtasks.exe
3416	schtasks.exe
1460	schtasks.exe
2292	schtasks.exe
548	schtasks.exe
3252	schtasks.exe
4132	schtasks.exe
2884	schtasks.exe
5048	schtasks.exe
4456	schtasks.exe
4768	schtasks.exe
3084	schtasks.exe
2248	schtasks.exe
5088	schtasks.exe
3068	schtasks.exe
3092	schtasks.exe
1712	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
4656	winlogon.exe
4656	winlogon.exe
4656	winlogon.exe
4656	winlogon.exe
4656	winlogon.exe
4656	winlogon.exe
4656	winlogon.exe
4656	winlogon.exe
4656	winlogon.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
Token: SeDebugPrivilege	4656	winlogon.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 1804	2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe	89
PID 2892 wrote to memory of 1804	2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe	89
PID 1804 wrote to memory of 4876	1804	csc.exe	91
PID 1804 wrote to memory of 4876	1804	csc.exe	91
PID 2892 wrote to memory of 4240	2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe	107
PID 2892 wrote to memory of 4240	2892	2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe	107
PID 4240 wrote to memory of 4940	4240	cmd.exe	109
PID 4240 wrote to memory of 4940	4240	cmd.exe	109
PID 4240 wrote to memory of 3948	4240	cmd.exe	110
PID 4240 wrote to memory of 3948	4240	cmd.exe	110
PID 4240 wrote to memory of 4656	4240	cmd.exe	113
PID 4240 wrote to memory of 4656	4240	cmd.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe
"C:\Users\Admin\AppData\Local\Temp\2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dvv04vpr\dvv04vpr.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA299.tmp" "c:\Windows\System32\CSC4E7FFFD861D548D3AEDDDD6067BE397B.TMP"
    3⤵
    PID:4876
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MYivJRkVQr.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4240
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4940
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3948
- - C:\Recovery\WindowsRE\winlogon.exe
    "C:\Recovery\WindowsRE\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Oracle\Java\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Oracle\Java\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Oracle\Java\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb7282" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb7282" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\winlogon.exe

Filesize
1.8MB

MD5
fcd38cbaa3982793517697bf89f666cc

SHA1
c345ceffabb9decaaa1e7a4f9582313401cbd589

SHA256
2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728

SHA512
8c5b64aa64dbc494e413b4e83b21c4f9bb0e3dd684a601c4faf1896e2f7d13cdb0885405b17839390358f823f4d61ea608b14f14e3f98d52a03778be64df0b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYivJRkVQr.bat

Filesize
162B

MD5
b0003970f6df252a84970800c68029b1

SHA1
4ac16d98cba9a16b03907b0db2486b35a5b9dfca

SHA256
1708248fc9d96bbcdd220da7ff17bda35b97aec3945490063518264518d46160

SHA512
c2bcb9a8ebfdd8ed9186bd1ae340e52d3b976a1cb46a9cce9f63e099a0a4061209fd6dec0d3bfb2787e55e3af8100750dd571b21161cafcdc5eb0166f08111b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA299.tmp

Filesize
1KB

MD5
2e4e53036504f8e5832c2bb2b0871913

SHA1
c08c63bccd5be0a28c10559257ec01d44460e564

SHA256
01b01240dbb9bf8907d882dc6e82e031e21bc8256296a1f8035414ddf96c18ca

SHA512
ad6ac1538fe879c1e80aee02387651b6754de63751ad65eee9fe086b262fcaef6bba02515e550c7ad275385c16114489aaff76c04c6ff2deaf8bad3f1fb239c1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dvv04vpr\dvv04vpr.0.cs

Filesize
366B

MD5
0d88e658c20e5948d8990fcd6bfb66ee

SHA1
8bffc0c2e1b80fc79bd5be973907c88b34af8461

SHA256
76900fad683896983e1b74d6cbe4424404d9cdc4d1bc9e07e7ba4c5aeaed0dec

SHA512
3e238e3b69a18c0fadf61c9ad92fdb747707539b4806554564a0021383c5f2599639d045237d1a088daed6d6781669a9af401f4e219f8273298232d5d9551fd5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dvv04vpr\dvv04vpr.cmdline

Filesize
235B

MD5
94b18faf67f874648c9fede68340ef7b

SHA1
95922ce9eaddd96570b2fead5693d327e96d5344

SHA256
8f5827e334410ff47840cb87e9f8aebe9c43e6c411ce4023ce5885e8eded6efc

SHA512
4c2ba4b0260b5f3642d144054ca34c7275ef18774e9e336dd3b9e95d7885b7c107de4b5abcda672fcd85e17d40b9a13421ecbc12284ae415280a9f110e9400b9

Download Submit
\??\c:\Windows\System32\CSC4E7FFFD861D548D3AEDDDD6067BE397B.TMP

Filesize
1KB

MD5
f1480fb87a76e200f58ddd71dcc52561

SHA1
500f9537e6ea8443665089ab5426a89bf84598e2

SHA256
e592099b51004199946d1a2ce3f4492db1e724c9b4fe2354e570e8e287a8b4ed

SHA512
15d1e26cf2ab221200e14d7f2220d27c66a87bf1a935124910d8114c9efbca15d14d834a830150c478d0a193f58a9ae8a1c3f428ff26e4ecf600807de150812e

Download Submit
memory/2892-13-0x000000001B290000-0x000000001B2A8000-memory.dmp

Filesize
96KB

Download
memory/2892-31-0x00007FFC774A0000-0x00007FFC77F61000-memory.dmp

Filesize
10.8MB

Download
memory/2892-10-0x0000000002840000-0x000000000285C000-memory.dmp

Filesize
112KB

Download
memory/2892-11-0x000000001B410000-0x000000001B460000-memory.dmp

Filesize
320KB

Download
memory/2892-0-0x00007FFC774A3000-0x00007FFC774A5000-memory.dmp

Filesize
8KB

Download
memory/2892-16-0x00007FFC774A0000-0x00007FFC77F61000-memory.dmp

Filesize
10.8MB

Download
memory/2892-15-0x0000000002810000-0x000000000281C000-memory.dmp

Filesize
48KB

Download
memory/2892-22-0x00007FFC774A0000-0x00007FFC77F61000-memory.dmp

Filesize
10.8MB

Download
memory/2892-5-0x00007FFC774A0000-0x00007FFC77F61000-memory.dmp

Filesize
10.8MB

Download
memory/2892-8-0x00007FFC774A0000-0x00007FFC77F61000-memory.dmp

Filesize
10.8MB

Download
memory/2892-34-0x00007FFC774A0000-0x00007FFC77F61000-memory.dmp

Filesize
10.8MB

Download
memory/2892-7-0x0000000002800000-0x000000000280E000-memory.dmp

Filesize
56KB

Download
memory/2892-4-0x00007FFC774A0000-0x00007FFC77F61000-memory.dmp

Filesize
10.8MB

Download
memory/2892-3-0x00007FFC774A0000-0x00007FFC77F61000-memory.dmp

Filesize
10.8MB

Download
memory/2892-2-0x00007FFC774A0000-0x00007FFC77F61000-memory.dmp

Filesize
10.8MB

Download
memory/2892-49-0x00007FFC774A0000-0x00007FFC77F61000-memory.dmp

Filesize
10.8MB

Download
memory/2892-1-0x0000000000470000-0x000000000064A000-memory.dmp

Filesize
1.9MB

Download