dcrat | e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272

Analysis

max time kernel
141s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
07-02-2025 05:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
Size

769KB
MD5

cf40b5e2332d76b97a1a1a18f89b68ef
SHA1

2c352c7e4521570c3cd7c99a35b715feed866f03
SHA256

e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272
SHA512

27ac673faa2306c572a5600195c08c875c47892df513547cfba91674e37fdd0876c2344662c81ecf00a0b3bbe515e07696b248f64e1221bec4398b3b1cff7f9a
SSDEEP

12288:CvTnXW/cYwVIB/6f/iJJMA+opW3Ari4VVyZC0+1ctHNt8KF4AXDYZ6:CvTn2whf/MJMA+o3iE0n3a6

Score

10^/10

dcrat discovery infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe\", \"C:\\Windows\\Logs\\MeasuredBoot\\sysmon.exe\", \"C:\\Users\\Default\\Desktop\\winlogon.exe\", \"C:\\Program Files\\Google\\Chrome\\taskhostw.exe\", \"C:\\Program Files\\Windows NT\\winlogon.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe\""	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe\""	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe\", \"C:\\Windows\\Logs\\MeasuredBoot\\sysmon.exe\""	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe\", \"C:\\Windows\\Logs\\MeasuredBoot\\sysmon.exe\", \"C:\\Users\\Default\\Desktop\\winlogon.exe\""	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe\", \"C:\\Windows\\Logs\\MeasuredBoot\\sysmon.exe\", \"C:\\Users\\Default\\Desktop\\winlogon.exe\", \"C:\\Program Files\\Google\\Chrome\\taskhostw.exe\""	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe\", \"C:\\Windows\\Logs\\MeasuredBoot\\sysmon.exe\", \"C:\\Users\\Default\\Desktop\\winlogon.exe\", \"C:\\Program Files\\Google\\Chrome\\taskhostw.exe\", \"C:\\Program Files\\Windows NT\\winlogon.exe\""	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5040	1712	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	1712	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	1712	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	1712	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	1712	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	1712	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3352	1712	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	516	1712	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	1712	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4276	1712	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	1712	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	1712	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	1712	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	1712	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	1712	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	1712	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	1712	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	1712	schtasks.exe	84

DCRat payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/1152-1-0x0000000000020000-0x00000000000E6000-memory.dmp	family_dcrat_v2
behavioral2/files/0x000a000000023b89-22.dat	family_dcrat_v2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe

Executes dropped EXE 1 IoCs

pid	Process
2964	taskhostw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Default\\Desktop\\winlogon.exe\""	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files\\Google\\Chrome\\taskhostw.exe\""	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Windows NT\\winlogon.exe\""	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe\""	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272 = "\"C:\\Recovery\\WindowsRE\\e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe\""	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272 = "\"C:\\Recovery\\WindowsRE\\e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe\""	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\Logs\\MeasuredBoot\\sysmon.exe\""	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\Logs\\MeasuredBoot\\sysmon.exe\""	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe\""	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Default\\Desktop\\winlogon.exe\""	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files\\Google\\Chrome\\taskhostw.exe\""	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Windows NT\\winlogon.exe\""	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC4A96D50EAD84A3DA9D1135B331063B9.TMP	csc.exe
File created	\??\c:\Windows\System32\hpabal.exe	csc.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\winlogon.exe	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
File opened for modification	C:\Program Files\Windows NT\winlogon.exe	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
File created	C:\Program Files\Windows NT\cc11b995f2a76d	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
File created	C:\Program Files\Google\Chrome\taskhostw.exe	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
File created	C:\Program Files\Google\Chrome\ea9f0e6c9e2dcd	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Logs\MeasuredBoot\sysmon.exe	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
File created	C:\Windows\Logs\MeasuredBoot\121e5b5079f7c0	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4496	schtasks.exe
2392	schtasks.exe
516	schtasks.exe
224	schtasks.exe
4276	schtasks.exe
2920	schtasks.exe
1668	schtasks.exe
2340	schtasks.exe
2272	schtasks.exe
3352	schtasks.exe
964	schtasks.exe
5040	schtasks.exe
3000	schtasks.exe
1880	schtasks.exe
2876	schtasks.exe
1228	schtasks.exe
960	schtasks.exe
4736	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2964	taskhostw.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
Token: SeDebugPrivilege	2964	taskhostw.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 5056	1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe	88
PID 1152 wrote to memory of 5056	1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe	88
PID 5056 wrote to memory of 1964	5056	csc.exe	90
PID 5056 wrote to memory of 1964	5056	csc.exe	90
PID 1152 wrote to memory of 4288	1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe	106
PID 1152 wrote to memory of 4288	1152	e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe	106
PID 4288 wrote to memory of 432	4288	cmd.exe	108
PID 4288 wrote to memory of 432	4288	cmd.exe	108
PID 4288 wrote to memory of 4184	4288	cmd.exe	109
PID 4288 wrote to memory of 4184	4288	cmd.exe	109
PID 4288 wrote to memory of 2964	4288	cmd.exe	116
PID 4288 wrote to memory of 2964	4288	cmd.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe
"C:\Users\Admin\AppData\Local\Temp\e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5k2pucnb\5k2pucnb.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDC95.tmp" "c:\Windows\System32\CSC4A96D50EAD84A3DA9D1135B331063B9.TMP"
    3⤵
    PID:1964
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U43pGo3mra.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:432
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4184
- - C:\Program Files\Google\Chrome\taskhostw.exe
    "C:\Program Files\Google\Chrome\taskhostw.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272e" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272e" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Windows\Logs\MeasuredBoot\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\Logs\MeasuredBoot\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Windows\Logs\MeasuredBoot\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Desktop\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Desktop\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Desktop\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows NT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272e" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272e" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272.exe

Filesize
769KB

MD5
cf40b5e2332d76b97a1a1a18f89b68ef

SHA1
2c352c7e4521570c3cd7c99a35b715feed866f03

SHA256
e2fbb2295fdaf8d692657bb330682117c536f5b04c3ee0afdf70a8541a27f272

SHA512
27ac673faa2306c572a5600195c08c875c47892df513547cfba91674e37fdd0876c2344662c81ecf00a0b3bbe515e07696b248f64e1221bec4398b3b1cff7f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDC95.tmp

Filesize
1KB

MD5
1edda5779f92f973e405a9b05e0ddae9

SHA1
558be3f4db7c2aeeb39f795ab1d22d2d5af7b572

SHA256
c8c4254f5750ba481c40b060c7748e60eb8ec82a10340de64ea5ddca86025e27

SHA512
9e1a816d99503be1dbbad6622852d76b4b509fb76c6019827273e2472fcb2fe5c956d1f20ca3a5a1718440fc41510fa53769512e65406bfcf37049d8b5589cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\U43pGo3mra.bat

Filesize
220B

MD5
a93ebf5dc4bc25c45562a9a7a991943c

SHA1
88b3429042cfe7c3a058af09c5d9a5f3a2712432

SHA256
c58951862f865debcb17f09926f8c461cc7e7b588c5a993cac4b7c336f4fc96d

SHA512
d3c3285108d93d61bd8a4cc483bb423808c94ad3cd55c3492c35840586d2e6f1a1463c052bf4c66e5a343e9a5c93ae838ab6a7f649a3a7046114da9c49303230

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5k2pucnb\5k2pucnb.0.cs

Filesize
422B

MD5
9acf677aa171b9bb119fab8a6d7d41c4

SHA1
0e4f6bf41e637d13696e8e8038ee57bfcff0c415

SHA256
a6d8729cea8211bccfb179403ac05f9ecf3649b0bd02a1090fe7954ed77eb1f7

SHA512
9d528f9fa6c209250663078ecac2a3f2fc01c686a3ba5f2410733dbc7795fcd02a448040253f4fc7b49a399de3c8cd0bde783ab77cbf00c9e63ae6504067cac7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5k2pucnb\5k2pucnb.cmdline

Filesize
235B

MD5
a9fdf76a20a0ba5530c6b337eda74ad0

SHA1
2ae87aeff53f8dfc715878b39d4cbfd624aab74d

SHA256
73c280fc3b61589fa8bf5877abeaae0eebddbb0ace68ff1486ae03ecb33b79da

SHA512
1b19804a6d072dd801e0cbba240f8ddd27c4d1271e3dca483f3fcbfffc90ef06180e35fe8b3de73b12c4a3f7b337c340308eb2eb96db17713336b8f9b93b2c7e

Download Submit
\??\c:\Windows\System32\CSC4A96D50EAD84A3DA9D1135B331063B9.TMP

Filesize
1KB

MD5
5feddd0eaa092197cf02f7969473a7d2

SHA1
c58f632235df253f1becdd483ff64920ac2a90f5

SHA256
7e282993b55f2c19683f520a08bc8a14be23638b285577707159e2dffaa54b8f

SHA512
5991dd3ef74801657aca07b9b56e4b567f9ac270fd946d06bfbe1f3b8791a57f621b12435bc08d901c9923bb4f83c027065f6623dcaafefd3a9d6c8b070c2227

Download Submit
memory/1152-12-0x0000000002160000-0x000000000216C000-memory.dmp

Filesize
48KB

Download
memory/1152-10-0x00007FFC07ED0000-0x00007FFC08991000-memory.dmp

Filesize
10.8MB

Download
memory/1152-0-0x00007FFC07ED3000-0x00007FFC07ED5000-memory.dmp

Filesize
8KB

Download
memory/1152-9-0x00000000021D0000-0x00000000021E8000-memory.dmp

Filesize
96KB

Download
memory/1152-24-0x00007FFC07ED0000-0x00007FFC08991000-memory.dmp

Filesize
10.8MB

Download
memory/1152-25-0x00007FFC07ED0000-0x00007FFC08991000-memory.dmp

Filesize
10.8MB

Download
memory/1152-29-0x00007FFC07ED0000-0x00007FFC08991000-memory.dmp

Filesize
10.8MB

Download
memory/1152-7-0x000000001AD30000-0x000000001AD80000-memory.dmp

Filesize
320KB

Download
memory/1152-6-0x00000000021B0000-0x00000000021CC000-memory.dmp

Filesize
112KB

Download
memory/1152-4-0x0000000002150000-0x000000000215E000-memory.dmp

Filesize
56KB

Download
memory/1152-2-0x00007FFC07ED0000-0x00007FFC08991000-memory.dmp

Filesize
10.8MB

Download
memory/1152-44-0x00007FFC07ED0000-0x00007FFC08991000-memory.dmp

Filesize
10.8MB

Download
memory/1152-1-0x0000000000020000-0x00000000000E6000-memory.dmp

Filesize
792KB

Download