dcrat | 9f09328091800505339ee1a9f01b6a7646ed60d2ed21808b5e171175f1723b6b

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
07-02-2025 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
Size

1.9MB
MD5

aae1c0e394855b9138d9d540a884eb1c
SHA1

76443a092ea47adebb55e663c8299c495dd9e324
SHA256

9f09328091800505339ee1a9f01b6a7646ed60d2ed21808b5e171175f1723b6b
SHA512

a3bda818e3c84e16ae7788ecf4bce9712ab23a152ff164a5cb4e3723e8145ad912cbdc7c2902bb937812e9335733e8252b015eef92d4745b17403a632cbf7322
SSDEEP

49152:HU7L1b7b3wCVJFpcHWhW8bLoym4ZEu9eBknBe6Y:HU7hbXAagWc8fo4ZESc6

Score

10^/10

dcrat discovery execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\fr-FR\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\ja-JP\\upfc.exe\", \"C:\\Windows\\Panther\\setup.exe\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Windows\\Migration\\WTR\\winlogon.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe\""	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\fr-FR\\csrss.exe\""	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\fr-FR\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\ja-JP\\upfc.exe\""	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\fr-FR\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\ja-JP\\upfc.exe\", \"C:\\Windows\\Panther\\setup.exe\\dllhost.exe\""	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\fr-FR\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\ja-JP\\upfc.exe\", \"C:\\Windows\\Panther\\setup.exe\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\""	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\fr-FR\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\ja-JP\\upfc.exe\", \"C:\\Windows\\Panther\\setup.exe\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Windows\\Migration\\WTR\\winlogon.exe\""	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	208	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	208	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4004	208	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	208	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	208	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3348	208	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3584	208	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3832	208	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	208	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	208	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	208	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3552	208	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	208	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3612	208	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4400	208	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	208	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	208	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3140	208	schtasks.exe	87

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1256	powershell.exe
5104	powershell.exe
4112	powershell.exe
3436	powershell.exe
3412	powershell.exe
5084	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe

Executes dropped EXE 1 IoCs

pid	Process
1960	winlogon.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\""	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\Migration\\WTR\\winlogon.exe\""	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9f09328091800505339ee1a9f01b6a7646ed60d2ed218 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe\""	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\fr-FR\\csrss.exe\""	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Panther\\setup.exe\\dllhost.exe\""	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\Internet Explorer\\ja-JP\\upfc.exe\""	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Panther\\setup.exe\\dllhost.exe\""	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\""	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\Migration\\WTR\\winlogon.exe\""	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9f09328091800505339ee1a9f01b6a7646ed60d2ed218 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe\""	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\fr-FR\\csrss.exe\""	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\Internet Explorer\\ja-JP\\upfc.exe\""	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ipinfo.io
48	ipinfo.io
49	ipinfo.io
15	ipinfo.io

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCA0F7FF23B470426DA76F21F3D71E1B4.TMP	csc.exe
File created	\??\c:\Windows\System32\lxswus.exe	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\upfc.exe	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\ea1d8f6d871115	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\csrss.exe	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\886983d96e3d3e	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Migration\WTR\winlogon.exe	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
File created	C:\Windows\Migration\WTR\cc11b995f2a76d	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
File created	C:\Windows\Panther\setup.exe\dllhost.exe	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
File created	C:\Windows\Panther\setup.exe\5940a34987c991	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
File created	C:\Windows\Migration\WTR\winlogon.exe	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4984	PING.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\Local Settings	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4984	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3540	schtasks.exe
1496	schtasks.exe
2860	schtasks.exe
1692	schtasks.exe
3348	schtasks.exe
3832	schtasks.exe
4804	schtasks.exe
3612	schtasks.exe
4776	schtasks.exe
3140	schtasks.exe
4004	schtasks.exe
828	schtasks.exe
3584	schtasks.exe
112	schtasks.exe
3552	schtasks.exe
1436	schtasks.exe
4400	schtasks.exe
1668	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1960	winlogon.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
Token: SeDebugPrivilege	4112	powershell.exe
Token: SeDebugPrivilege	5084	powershell.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	3436	powershell.exe
Token: SeDebugPrivilege	5104	powershell.exe
Token: SeDebugPrivilege	3412	powershell.exe
Token: SeDebugPrivilege	1960	winlogon.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 1632	1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe	91
PID 1788 wrote to memory of 1632	1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe	91
PID 1632 wrote to memory of 824	1632	csc.exe	93
PID 1632 wrote to memory of 824	1632	csc.exe	93
PID 1788 wrote to memory of 3412	1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe	112
PID 1788 wrote to memory of 3412	1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe	112
PID 1788 wrote to memory of 5084	1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe	113
PID 1788 wrote to memory of 5084	1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe	113
PID 1788 wrote to memory of 1256	1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe	114
PID 1788 wrote to memory of 1256	1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe	114
PID 1788 wrote to memory of 5104	1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe	115
PID 1788 wrote to memory of 5104	1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe	115
PID 1788 wrote to memory of 4112	1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe	116
PID 1788 wrote to memory of 4112	1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe	116
PID 1788 wrote to memory of 3436	1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe	117
PID 1788 wrote to memory of 3436	1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe	117
PID 1788 wrote to memory of 768	1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe	124
PID 1788 wrote to memory of 768	1788	9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe	124
PID 768 wrote to memory of 1548	768	cmd.exe	126
PID 768 wrote to memory of 1548	768	cmd.exe	126
PID 768 wrote to memory of 4984	768	cmd.exe	127
PID 768 wrote to memory of 4984	768	cmd.exe	127
PID 768 wrote to memory of 1960	768	cmd.exe	131
PID 768 wrote to memory of 1960	768	cmd.exe	131

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe
"C:\Users\Admin\AppData\Local\Temp\9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jss2ycdn\jss2ycdn.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAC9B.tmp" "c:\Windows\System32\CSCA0F7FF23B470426DA76F21F3D71E1B4.TMP"
    3⤵
    PID:824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\ja-JP\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\setup.exe\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3436
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l8KlzpEP1l.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:768
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1548
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4984
- - C:\Windows\Migration\WTR\winlogon.exe
    "C:\Windows\Migration\WTR\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\Panther\setup.exe\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Panther\setup.exe\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\Panther\setup.exe\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\WTR\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\Migration\WTR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9f09328091800505339ee1a9f01b6a7646ed60d2ed2189" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9f09328091800505339ee1a9f01b6a7646ed60d2ed218" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9f09328091800505339ee1a9f01b6a7646ed60d2ed2189" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\9f09328091800505339ee1a9f01b6a7646ed60d2ed218.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Photo Viewer\fr-FR\csrss.exe

Filesize
1.9MB

MD5
aae1c0e394855b9138d9d540a884eb1c

SHA1
76443a092ea47adebb55e663c8299c495dd9e324

SHA256
9f09328091800505339ee1a9f01b6a7646ed60d2ed21808b5e171175f1723b6b

SHA512
a3bda818e3c84e16ae7788ecf4bce9712ab23a152ff164a5cb4e3723e8145ad912cbdc7c2902bb937812e9335733e8252b015eef92d4745b17403a632cbf7322

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2979eabc783eaca50de7be23dd4eafcf

SHA1
d709ce5f3a06b7958a67e20870bfd95b83cad2ea

SHA256
006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903

SHA512
92bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAC9B.tmp

Filesize
1KB

MD5
deb6facb70ecc93164d0be636a578302

SHA1
ea56e0b1542020c6ccc34ca9f0d8e0006e9e7023

SHA256
e7e39eac26011e6c190562e94c93c24285055106a08231a967f1dd46660d35e3

SHA512
4dae3144b372eba5b48b5cb33382d85860a2359b52ee60790794a54359dce6b5948c6a1f1f37e2bce0effe2a5b80753dc6ed9fb3eb9a28c0a36a783cb2206431

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uu3tzzfy.34c.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\l8KlzpEP1l.bat

Filesize
165B

MD5
a99b05cdbdaad7555f96a1e9eeec26b8

SHA1
00184b2c2be5c55e5c7ddc9aa7e4bd9c81b65744

SHA256
1fdfdfffb746c5952c1e417947423f729470cf112fccd70680a78fda9bc492a6

SHA512
8cc1e4d57666364cd1c7245a7fc82f57bc533ee750756d081110ee4f09997eb66c306ae5ed85e285f7baab37009b7553230b5543bb282fab65805976805f7022

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jss2ycdn\jss2ycdn.0.cs

Filesize
391B

MD5
35fec35a46e93eb597d138dbae067434

SHA1
6a02221dcde10be10f15820a5537c191d9c9cd20

SHA256
8dfd8d5313de8158fd66a811a584938a8755b30547309d799ea2c85f38c2a549

SHA512
675c937060c83f2dd910509c8a92542c7048aa4f426510bd7c4fd21055c684c7d59e3c979795208050c73720477113e770d5da33ea545c868ca294d6911c2bd4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jss2ycdn\jss2ycdn.cmdline

Filesize
235B

MD5
49bef56cd848964594cdd8289726813b

SHA1
6dfee3b6070aa33ed9be45dd08f0cc4c6b746476

SHA256
3d4443637a68a1a888befe1cd8a02a24b9791bf3d642ffd28071de4f8b4df6ea

SHA512
d8b0a42bcfb9edb08145d511ccb9064a5cebf28a2e8c626604aab316f36d51f4d87cf0f8cb8230a1965c9571885954dc7ca6fabddd7a757bef4ecca16f2a8a8a

Download Submit
\??\c:\Windows\System32\CSCA0F7FF23B470426DA76F21F3D71E1B4.TMP

Filesize
1KB

MD5
72f89171a1931b941e3fcc281bfc549e

SHA1
9648145810bb8b9ecef682a8215a08065723852e

SHA256
b1858806d65859b1f0607bdb45b33cbc0745c496a45414b6833c94a5a792a938

SHA512
04e9a596bc2354251ef44848eb1662658b053fd6065369c8ca46f6c597516738d57efafe9669fb9d20dbe4b957d6afa379fc48a06c252260419a82de72e4cf8a

Download Submit
memory/1788-16-0x00000000031F0000-0x00000000031FC000-memory.dmp

Filesize
48KB

Download
memory/1788-18-0x0000000003200000-0x0000000003208000-memory.dmp

Filesize
32KB

Download
memory/1788-12-0x00007FFA04080000-0x00007FFA04B41000-memory.dmp

Filesize
10.8MB

Download
memory/1788-11-0x000000001BCA0000-0x000000001BCF0000-memory.dmp

Filesize
320KB

Download
memory/1788-10-0x0000000003210000-0x000000000322C000-memory.dmp

Filesize
112KB

Download
memory/1788-23-0x00007FFA04080000-0x00007FFA04B41000-memory.dmp

Filesize
10.8MB

Download
memory/1788-34-0x00007FFA04080000-0x00007FFA04B41000-memory.dmp

Filesize
10.8MB

Download
memory/1788-20-0x0000000003260000-0x000000000326C000-memory.dmp

Filesize
48KB

Download
memory/1788-35-0x00007FFA04080000-0x00007FFA04B41000-memory.dmp

Filesize
10.8MB

Download
memory/1788-36-0x00007FFA04080000-0x00007FFA04B41000-memory.dmp

Filesize
10.8MB

Download
memory/1788-21-0x00007FFA04080000-0x00007FFA04B41000-memory.dmp

Filesize
10.8MB

Download
memory/1788-14-0x0000000003230000-0x0000000003248000-memory.dmp

Filesize
96KB

Download
memory/1788-0-0x00007FFA04083000-0x00007FFA04085000-memory.dmp

Filesize
8KB

Download
memory/1788-8-0x00007FFA04080000-0x00007FFA04B41000-memory.dmp

Filesize
10.8MB

Download
memory/1788-1-0x0000000000F00000-0x00000000010E4000-memory.dmp

Filesize
1.9MB

Download
memory/1788-7-0x00000000031E0000-0x00000000031EE000-memory.dmp

Filesize
56KB

Download
memory/1788-73-0x00007FFA04080000-0x00007FFA04B41000-memory.dmp

Filesize
10.8MB

Download
memory/1788-5-0x00007FFA04080000-0x00007FFA04B41000-memory.dmp

Filesize
10.8MB

Download
memory/1788-4-0x00007FFA04080000-0x00007FFA04B41000-memory.dmp

Filesize
10.8MB

Download
memory/1788-3-0x00007FFA04080000-0x00007FFA04B41000-memory.dmp

Filesize
10.8MB

Download
memory/1788-2-0x00007FFA04080000-0x00007FFA04B41000-memory.dmp

Filesize
10.8MB

Download
memory/4112-63-0x00000289AD6B0000-0x00000289AD6D2000-memory.dmp

Filesize
136KB

Download