dcrat | a1ddae9574bbeadd40b789fc8c7719b47c0d4bd8ed93abbd1d07f7e866ac40a6

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a3fe6a67de09aa96ba2e5be3280ea4c.exe
Size

1.1MB
MD5

9a3fe6a67de09aa96ba2e5be3280ea4c
SHA1

6e4ffce312e07e64e58d3711d22873956299792c
SHA256

ad954fbd7d3e5259656f1f933b0d0e0528fca132b9212fceafb203211267efbf
SHA512

fb3a712d3ac88c3510c8759a0ae3465fa376eda8875f80eef28231c3a0955fc49032200637a695cf7c3f0b7a3e05fa84fbaff3992d58148c5d016c0ecb8e983b
SSDEEP

12288:t6NE5eSwJu37+GXJpkaI7ShG54v4ahgVY3whNG8/LI6i4ejmtnbAouuFteLBdBN9:t6NReJXJIwvJgVQSoPEzKkLXa

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 10 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Music\\csrss.exe\", \"C:\\Program Files\\Windows Defender\\fr-FR\\taskhost.exe\", \"C:\\Users\\Admin\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\csrss.exe\""	9a3fe6a67de09aa96ba2e5be3280ea4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Music\\csrss.exe\", \"C:\\Program Files\\Windows Defender\\fr-FR\\taskhost.exe\", \"C:\\Users\\Admin\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\csrss.exe\", \"C:\\Windows\\Downloaded Program Files\\lsm.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\OSPPSVC.exe\""	9a3fe6a67de09aa96ba2e5be3280ea4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Music\\csrss.exe\", \"C:\\Program Files\\Windows Defender\\fr-FR\\taskhost.exe\", \"C:\\Users\\Admin\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\csrss.exe\", \"C:\\Windows\\Downloaded Program Files\\lsm.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\OSPPSVC.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\sppsvc.exe\""	9a3fe6a67de09aa96ba2e5be3280ea4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Music\\csrss.exe\", \"C:\\Program Files\\Windows Defender\\fr-FR\\taskhost.exe\", \"C:\\Users\\Admin\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\csrss.exe\", \"C:\\Windows\\Downloaded Program Files\\lsm.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\OSPPSVC.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\dllhost.exe\""	9a3fe6a67de09aa96ba2e5be3280ea4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Music\\csrss.exe\", \"C:\\Program Files\\Windows Defender\\fr-FR\\taskhost.exe\", \"C:\\Users\\Admin\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\csrss.exe\", \"C:\\Windows\\Downloaded Program Files\\lsm.exe\""	9a3fe6a67de09aa96ba2e5be3280ea4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Music\\csrss.exe\", \"C:\\Program Files\\Windows Defender\\fr-FR\\taskhost.exe\", \"C:\\Users\\Admin\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\csrss.exe\", \"C:\\Windows\\Downloaded Program Files\\lsm.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\OSPPSVC.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\audiodg.exe\""	9a3fe6a67de09aa96ba2e5be3280ea4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Music\\csrss.exe\""	9a3fe6a67de09aa96ba2e5be3280ea4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Music\\csrss.exe\", \"C:\\Program Files\\Windows Defender\\fr-FR\\taskhost.exe\""	9a3fe6a67de09aa96ba2e5be3280ea4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Music\\csrss.exe\", \"C:\\Program Files\\Windows Defender\\fr-FR\\taskhost.exe\", \"C:\\Users\\Admin\\lsass.exe\""	9a3fe6a67de09aa96ba2e5be3280ea4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Music\\csrss.exe\", \"C:\\Program Files\\Windows Defender\\fr-FR\\taskhost.exe\", \"C:\\Users\\Admin\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\sppsvc.exe\""	9a3fe6a67de09aa96ba2e5be3280ea4c.exe

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2924	schtasks.exe	30

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral31/memory/308-1-0x0000000000E20000-0x0000000000F4C000-memory.dmp	dcrat
behavioral31/files/0x000500000001958e-21.dat	dcrat
behavioral31/memory/548-113-0x0000000000850000-0x000000000097C000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
548	lsass.exe

Adds Run key to start application 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Downloaded Program Files\\lsm.exe\""	9a3fe6a67de09aa96ba2e5be3280ea4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Downloaded Program Files\\lsm.exe\""	9a3fe6a67de09aa96ba2e5be3280ea4c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\sppsvc.exe\""	9a3fe6a67de09aa96ba2e5be3280ea4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\sppsvc.exe\""	9a3fe6a67de09aa96ba2e5be3280ea4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Admin\\lsass.exe\""	9a3fe6a67de09aa96ba2e5be3280ea4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\OSPPSVC.exe\""	9a3fe6a67de09aa96ba2e5be3280ea4c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\audiodg.exe\""	9a3fe6a67de09aa96ba2e5be3280ea4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\audiodg.exe\""	9a3fe6a67de09aa96ba2e5be3280ea4c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\dllhost.exe\""	9a3fe6a67de09aa96ba2e5be3280ea4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\dllhost.exe\""	9a3fe6a67de09aa96ba2e5be3280ea4c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default\\Music\\csrss.exe\""	9a3fe6a67de09aa96ba2e5be3280ea4c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Admin\\lsass.exe\""	9a3fe6a67de09aa96ba2e5be3280ea4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\Windows Defender\\fr-FR\\taskhost.exe\""	9a3fe6a67de09aa96ba2e5be3280ea4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\sppsvc.exe\""	9a3fe6a67de09aa96ba2e5be3280ea4c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\csrss.exe\""	9a3fe6a67de09aa96ba2e5be3280ea4c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\OSPPSVC.exe\""	9a3fe6a67de09aa96ba2e5be3280ea4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default\\Music\\csrss.exe\""	9a3fe6a67de09aa96ba2e5be3280ea4c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\Windows Defender\\fr-FR\\taskhost.exe\""	9a3fe6a67de09aa96ba2e5be3280ea4c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\sppsvc.exe\""	9a3fe6a67de09aa96ba2e5be3280ea4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\csrss.exe\""	9a3fe6a67de09aa96ba2e5be3280ea4c.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Defender\fr-FR\taskhost.exe	9a3fe6a67de09aa96ba2e5be3280ea4c.exe
File created	C:\Program Files\Windows Defender\fr-FR\b75386f1303e64	9a3fe6a67de09aa96ba2e5be3280ea4c.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\RCX895D.tmp	9a3fe6a67de09aa96ba2e5be3280ea4c.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\taskhost.exe	9a3fe6a67de09aa96ba2e5be3280ea4c.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Downloaded Program Files\101b941d020240	9a3fe6a67de09aa96ba2e5be3280ea4c.exe
File created	C:\Windows\Performance\WinSAT\DataStore\OSPPSVC.exe	9a3fe6a67de09aa96ba2e5be3280ea4c.exe
File created	C:\Windows\Performance\WinSAT\DataStore\1610b97d3ab4a7	9a3fe6a67de09aa96ba2e5be3280ea4c.exe
File opened for modification	C:\Windows\Downloaded Program Files\RCX91DA.tmp	9a3fe6a67de09aa96ba2e5be3280ea4c.exe
File opened for modification	C:\Windows\Downloaded Program Files\lsm.exe	9a3fe6a67de09aa96ba2e5be3280ea4c.exe
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\RCX93DE.tmp	9a3fe6a67de09aa96ba2e5be3280ea4c.exe
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\OSPPSVC.exe	9a3fe6a67de09aa96ba2e5be3280ea4c.exe
File created	C:\Windows\Downloaded Program Files\lsm.exe	9a3fe6a67de09aa96ba2e5be3280ea4c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1768	schtasks.exe
2908	schtasks.exe
2208	schtasks.exe
1264	schtasks.exe
2384	schtasks.exe
1872	schtasks.exe
2232	schtasks.exe
2876	schtasks.exe
2564	schtasks.exe
2940	schtasks.exe
1164	schtasks.exe
1324	schtasks.exe
2316	schtasks.exe
2252	schtasks.exe
2184	schtasks.exe
2092	schtasks.exe
2216	schtasks.exe
2320	schtasks.exe
596	schtasks.exe
656	schtasks.exe
2896	schtasks.exe
2324	schtasks.exe
1576	schtasks.exe
1260	schtasks.exe
3012	schtasks.exe
2652	schtasks.exe
1968	schtasks.exe
2704	schtasks.exe
2900	schtasks.exe
2088	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
308	9a3fe6a67de09aa96ba2e5be3280ea4c.exe
308	9a3fe6a67de09aa96ba2e5be3280ea4c.exe
308	9a3fe6a67de09aa96ba2e5be3280ea4c.exe
548	lsass.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	308	9a3fe6a67de09aa96ba2e5be3280ea4c.exe
Token: SeDebugPrivilege	548	lsass.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 308 wrote to memory of 616	308	9a3fe6a67de09aa96ba2e5be3280ea4c.exe	61
PID 308 wrote to memory of 616	308	9a3fe6a67de09aa96ba2e5be3280ea4c.exe	61
PID 308 wrote to memory of 616	308	9a3fe6a67de09aa96ba2e5be3280ea4c.exe	61
PID 616 wrote to memory of 2380	616	cmd.exe	63
PID 616 wrote to memory of 2380	616	cmd.exe	63
PID 616 wrote to memory of 2380	616	cmd.exe	63
PID 616 wrote to memory of 548	616	cmd.exe	64
PID 616 wrote to memory of 548	616	cmd.exe	64
PID 616 wrote to memory of 548	616	cmd.exe	64

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9a3fe6a67de09aa96ba2e5be3280ea4c.exe
"C:\Users\Admin\AppData\Local\Temp\9a3fe6a67de09aa96ba2e5be3280ea4c.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:308
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CyxGcg3L6d.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:616
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2380
- - C:\Users\Admin\lsass.exe
    "C:\Users\Admin\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Music\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Music\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Music\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\fr-FR\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\fr-FR\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Windows\Downloaded Program Files\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Windows\Performance\WinSAT\DataStore\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\WinSAT\DataStore\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe

Filesize
1.1MB

MD5
9a3fe6a67de09aa96ba2e5be3280ea4c

SHA1
6e4ffce312e07e64e58d3711d22873956299792c

SHA256
ad954fbd7d3e5259656f1f933b0d0e0528fca132b9212fceafb203211267efbf

SHA512
fb3a712d3ac88c3510c8759a0ae3465fa376eda8875f80eef28231c3a0955fc49032200637a695cf7c3f0b7a3e05fa84fbaff3992d58148c5d016c0ecb8e983b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CyxGcg3L6d.bat

Filesize
189B

MD5
4e8759f2771f42a60e94c1013557d5e1

SHA1
be9a09061bb52e1f8979ea1c8f303a0721e23f35

SHA256
f4564db02399eda91e39a1cfcf23120546abb6cc37f4265103639fa1eba2e1ec

SHA512
2016d63e404dde8986ceeea624743984bd2e94358d1ce6122d71a907c3d6bb85ea7c3e88f0202161ba947e19f6517910e172d0c128c9c220508c0cc6a4b2d91a

Download Submit
memory/308-8-0x0000000000830000-0x000000000083C000-memory.dmp

Filesize
48KB

Download
memory/308-10-0x0000000000BA0000-0x0000000000BA8000-memory.dmp

Filesize
32KB

Download
memory/308-4-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/308-5-0x0000000000810000-0x0000000000826000-memory.dmp

Filesize
88KB

Download
memory/308-6-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/308-7-0x0000000000AF0000-0x0000000000B00000-memory.dmp

Filesize
64KB

Download
memory/308-0-0x000007FEF5E63000-0x000007FEF5E64000-memory.dmp

Filesize
4KB

Download
memory/308-9-0x0000000000AE0000-0x0000000000AF2000-memory.dmp

Filesize
72KB

Download
memory/308-11-0x0000000000BB0000-0x0000000000BBE000-memory.dmp

Filesize
56KB

Download
memory/308-3-0x00000000005E0000-0x00000000005FC000-memory.dmp

Filesize
112KB

Download
memory/308-12-0x0000000000BC0000-0x0000000000BCC000-memory.dmp

Filesize
48KB

Download
memory/308-2-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

Filesize
9.9MB

Download
memory/308-1-0x0000000000E20000-0x0000000000F4C000-memory.dmp

Filesize
1.2MB

Download
memory/308-110-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

Filesize
9.9MB

Download
memory/548-113-0x0000000000850000-0x000000000097C000-memory.dmp

Filesize
1.2MB

Download
memory/548-114-0x00000000004A0000-0x00000000004B2000-memory.dmp

Filesize
72KB

Download
memory/548-115-0x0000000000650000-0x0000000000662000-memory.dmp

Filesize
72KB

Download