dcrat | 2f0cdc7d4ba53c01c835c4f1dfd15d7bd86f96ed767a279cb9c8529b44cd4931

General

Target

3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
Size

2.4MB
MD5

0e444044fdfea512ca18fc3396abb65b
SHA1

8b601ccad5b2a76967c0ca7579dc13d092307f34
SHA256

3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755
SHA512

7b58b88c7fbcd7b97d1a08f2145794beefa2960382140bac74f1f4fe630cdd0314cd9bceb599a32c56788df1e0e9dccf84c1598c52f9c581389327428696e119
SSDEEP

49152:bkcwlRFUh2b69Cs9MR3uh+tytRY1aLXYqIiiJd2EHt:bkdlRI3ceI1azYqWj

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	1724	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	1724	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	1724	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	1724	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	1724	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	1724	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	1724	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	1724	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	1724	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	1724	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	1724	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	1724	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	1724	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	1724	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	1724	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	1724	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	1724	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	1724	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	1724	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	1724	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	1724	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	1724	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	1724	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	1724	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	1724	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	1724	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	1724	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exeWMIADAP.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1060-54-0x0000000001350000-0x00000000015C8000-memory.dmp	dcrat
C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\csrss.exe	dcrat
C:\Program Files\7-Zip\Lang\WMIADAP.exe	dcrat
C:\Program Files\7-Zip\Lang\WMIADAP.exe	dcrat
behavioral1/memory/1824-91-0x0000000001100000-0x0000000001378000-memory.dmp	dcrat
behavioral1/memory/1200-92-0x0000000140000000-0x00000001405E8000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

WMIADAP.exe

pid process

1824 WMIADAP.exe

pid	process
1824	WMIADAP.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

WMIADAP.exe3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe

Drops file in System32 directory 1 IoCs

Processes:

mmc.exe

description ioc process

File opened for modification C:\Windows\system32\eventvwr.msc mmc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\eventvwr.msc	mmc.exe

Drops file in Program Files directory 11 IoCs

Processes:

3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe

description	ioc	process
File created	C:\Program Files\7-Zip\Lang\WMIADAP.exe	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
File created	C:\Program Files\7-Zip\Lang\75a57c1bdf437c	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\csrss.exe	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\886983d96e3d3e	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\taskhost.exe	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
File created	C:\Program Files\Internet Explorer\6cb0b6c459d5d3	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
File created	C:\Program Files\Internet Explorer\dwm.exe	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\886983d96e3d3e	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\taskhost.exe	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\b75386f1303e64	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe

Drops file in Windows directory 7 IoCs

Processes:

3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe

description	ioc	process
File created	C:\Windows\PolicyDefinitions\de-DE\7a0fd90576e088	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
File created	C:\Windows\it-IT\3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
File created	C:\Windows\it-IT\4a9626db573c5f	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
File created	C:\Windows\Tasks\lsass.exe	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
File created	C:\Windows\Tasks\6203df4a6bafc7	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
File created	C:\Windows\schemas\TSWorkSpace\spoolsv.exe	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
File created	C:\Windows\PolicyDefinitions\de-DE\explorer.exe	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1672	schtasks.exe
1256	schtasks.exe
1276	schtasks.exe
1948	schtasks.exe
436	schtasks.exe
1900	schtasks.exe
564	schtasks.exe
1552	schtasks.exe
1804	schtasks.exe
832	schtasks.exe
1968	schtasks.exe
2024	schtasks.exe
112	schtasks.exe
972	schtasks.exe
960	schtasks.exe
1708	schtasks.exe
1200	schtasks.exe
1700	schtasks.exe
372	schtasks.exe
1464	schtasks.exe
1488	schtasks.exe
1480	schtasks.exe
1892	schtasks.exe
1556	schtasks.exe
1648	schtasks.exe
1944	schtasks.exe
572	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exetaskmgr.exeWMIADAP.exe

pid	process
1060	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
1060	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
1060	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
1060	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
1060	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
1060	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
1060	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
1060	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
1060	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
1200	taskmgr.exe
1200	taskmgr.exe
1824	WMIADAP.exe
1824	WMIADAP.exe
1824	WMIADAP.exe
1200	taskmgr.exe
1824	WMIADAP.exe
1824	WMIADAP.exe
1200	taskmgr.exe
1824	WMIADAP.exe
1824	WMIADAP.exe
1824	WMIADAP.exe
1824	WMIADAP.exe
1200	taskmgr.exe
1824	WMIADAP.exe
1824	WMIADAP.exe
1200	taskmgr.exe
1824	WMIADAP.exe
1824	WMIADAP.exe
1200	taskmgr.exe
1824	WMIADAP.exe
1824	WMIADAP.exe
1824	WMIADAP.exe
1824	WMIADAP.exe
1200	taskmgr.exe
1824	WMIADAP.exe
1824	WMIADAP.exe
1200	taskmgr.exe
1824	WMIADAP.exe
1824	WMIADAP.exe
1200	taskmgr.exe
1824	WMIADAP.exe
1824	WMIADAP.exe
1200	taskmgr.exe
1824	WMIADAP.exe
1824	WMIADAP.exe
1200	taskmgr.exe
1824	WMIADAP.exe
1824	WMIADAP.exe
1824	WMIADAP.exe
1824	WMIADAP.exe
1200	taskmgr.exe
1824	WMIADAP.exe
1824	WMIADAP.exe
1200	taskmgr.exe
1824	WMIADAP.exe
1824	WMIADAP.exe
1200	taskmgr.exe
1824	WMIADAP.exe
1824	WMIADAP.exe
1200	taskmgr.exe
1824	WMIADAP.exe
1824	WMIADAP.exe
1824	WMIADAP.exe
1200	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

taskmgr.exemmc.exe

pid process

1200 taskmgr.exe
652 mmc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exetaskmgr.exeWMIADAP.exemmc.exe

description	pid	process
Token: SeDebugPrivilege	1060	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
Token: SeDebugPrivilege	1200	taskmgr.exe
Token: SeDebugPrivilege	1824	WMIADAP.exe
Token: SeSecurityPrivilege	652	mmc.exe
Token: 33	652	mmc.exe
Token: SeIncBasePriorityPrivilege	652	mmc.exe
Token: 33	652	mmc.exe
Token: SeIncBasePriorityPrivilege	652	mmc.exe
Token: 33	652	mmc.exe
Token: SeIncBasePriorityPrivilege	652	mmc.exe
Token: 33	652	mmc.exe
Token: SeIncBasePriorityPrivilege	652	mmc.exe
Token: 33	652	mmc.exe
Token: SeIncBasePriorityPrivilege	652	mmc.exe
Token: 33	652	mmc.exe
Token: SeIncBasePriorityPrivilege	652	mmc.exe
Token: 33	652	mmc.exe
Token: SeIncBasePriorityPrivilege	652	mmc.exe
Token: 33	652	mmc.exe
Token: SeIncBasePriorityPrivilege	652	mmc.exe
Token: 33	652	mmc.exe
Token: SeIncBasePriorityPrivilege	652	mmc.exe
Token: 33	652	mmc.exe
Token: SeIncBasePriorityPrivilege	652	mmc.exe
Token: 33	652	mmc.exe
Token: SeIncBasePriorityPrivilege	652	mmc.exe
Token: 33	652	mmc.exe
Token: SeIncBasePriorityPrivilege	652	mmc.exe
Token: 33	652	mmc.exe
Token: SeIncBasePriorityPrivilege	652	mmc.exe
Token: 33	652	mmc.exe
Token: SeIncBasePriorityPrivilege	652	mmc.exe
Token: 33	652	mmc.exe
Token: SeIncBasePriorityPrivilege	652	mmc.exe
Token: 33	652	mmc.exe
Token: SeIncBasePriorityPrivilege	652	mmc.exe
Token: SeSecurityPrivilege	652	mmc.exe
Token: 33	652	mmc.exe
Token: SeIncBasePriorityPrivilege	652	mmc.exe
Token: 33	652	mmc.exe
Token: SeIncBasePriorityPrivilege	652	mmc.exe
Token: 33	652	mmc.exe
Token: SeIncBasePriorityPrivilege	652	mmc.exe
Token: 33	652	mmc.exe
Token: SeIncBasePriorityPrivilege	652	mmc.exe
Token: 33	652	mmc.exe
Token: SeIncBasePriorityPrivilege	652	mmc.exe
Token: 33	652	mmc.exe
Token: SeIncBasePriorityPrivilege	652	mmc.exe
Token: 33	652	mmc.exe
Token: SeIncBasePriorityPrivilege	652	mmc.exe
Token: 33	652	mmc.exe
Token: SeIncBasePriorityPrivilege	652	mmc.exe
Token: 33	652	mmc.exe
Token: SeIncBasePriorityPrivilege	652	mmc.exe
Token: 33	652	mmc.exe
Token: SeIncBasePriorityPrivilege	652	mmc.exe
Token: 33	652	mmc.exe
Token: SeIncBasePriorityPrivilege	652	mmc.exe
Token: 33	652	mmc.exe
Token: SeIncBasePriorityPrivilege	652	mmc.exe
Token: 33	652	mmc.exe
Token: SeIncBasePriorityPrivilege	652	mmc.exe
Token: 33	652	mmc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe
1200	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

mmc.exe

pid process

652 mmc.exe
652 mmc.exe

pid	process
652	mmc.exe
652	mmc.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.execmd.exe

description	pid	process	target process
PID 1060 wrote to memory of 628	1060	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe	cmd.exe
PID 1060 wrote to memory of 628	1060	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe	cmd.exe
PID 1060 wrote to memory of 628	1060	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe	cmd.exe
PID 628 wrote to memory of 1620	628	cmd.exe	w32tm.exe
PID 628 wrote to memory of 1620	628	cmd.exe	w32tm.exe
PID 628 wrote to memory of 1620	628	cmd.exe	w32tm.exe
PID 628 wrote to memory of 1824	628	cmd.exe	WMIADAP.exe
PID 628 wrote to memory of 1824	628	cmd.exe	WMIADAP.exe
PID 628 wrote to memory of 1824	628	cmd.exe	WMIADAP.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exeWMIADAP.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
"C:\Users\Admin\AppData\Local\Temp\3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1060

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HrcDr6ZXZM.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:1620

C:\Program Files\7-Zip\Lang\WMIADAP.exe
"C:\Program Files\7-Zip\Lang\WMIADAP.exe"
3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b07553" /sc MINUTE /mo 6 /tr "'C:\Windows\it-IT\3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755" /sc ONLOGON /tr "'C:\Windows\it-IT\3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b07553" /sc MINUTE /mo 7 /tr "'C:\Windows\it-IT\3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\Tasks\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Tasks\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\PolicyDefinitions\de-DE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\PolicyDefinitions\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1200

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Bypass User Account Control

1

T1088

Scheduled Task

1

T1053

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\csrss.exe
Filesize
2.4MB

MD5
0e444044fdfea512ca18fc3396abb65b

SHA1
8b601ccad5b2a76967c0ca7579dc13d092307f34

SHA256
3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755

SHA512
7b58b88c7fbcd7b97d1a08f2145794beefa2960382140bac74f1f4fe630cdd0314cd9bceb599a32c56788df1e0e9dccf84c1598c52f9c581389327428696e119

Download Submit
C:\Program Files\7-Zip\Lang\WMIADAP.exe
Filesize
2.4MB

MD5
0e444044fdfea512ca18fc3396abb65b

SHA1
8b601ccad5b2a76967c0ca7579dc13d092307f34

SHA256
3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755

SHA512
7b58b88c7fbcd7b97d1a08f2145794beefa2960382140bac74f1f4fe630cdd0314cd9bceb599a32c56788df1e0e9dccf84c1598c52f9c581389327428696e119

Download Submit
C:\Program Files\7-Zip\Lang\WMIADAP.exe
Filesize
2.4MB

MD5
0e444044fdfea512ca18fc3396abb65b

SHA1
8b601ccad5b2a76967c0ca7579dc13d092307f34

SHA256
3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755

SHA512
7b58b88c7fbcd7b97d1a08f2145794beefa2960382140bac74f1f4fe630cdd0314cd9bceb599a32c56788df1e0e9dccf84c1598c52f9c581389327428696e119

Download Submit
C:\Users\Admin\AppData\Local\Temp\HrcDr6ZXZM.bat
Filesize
204B

MD5
0df0a84cdcf2a8d75ce7d591cb841df1

SHA1
3ad5ba17350dba6e9f2a6a452f3eae39fe5fe8c4

SHA256
6369263c289c47b0f5ab98473be11e6dc2d3e196b8ee36b72fffab8caf6019b0

SHA512
a9a2562886b313328feb033ffd4391336fa2561dd81d418065681a72033bacff3ad320e4a21dc658ae64496ee4cc861caf238b217a826359ab45b08f08a30e9e

Download Submit
memory/652-99-0x0000000002030000-0x0000000002031000-memory.dmp

Filesize
4KB

Download
memory/652-113-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/652-124-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/652-102-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/652-122-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/652-121-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/652-120-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/652-115-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/652-119-0x000007FFFFF00000-0x000007FFFFF10000-memory.dmp

Filesize
64KB

Download
memory/652-118-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/652-117-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/652-116-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/652-114-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/652-111-0x0000000002030000-0x0000000002031000-memory.dmp

Filesize
4KB

Download
memory/652-112-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/652-110-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/652-101-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/652-109-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/652-97-0x00000000027C0000-0x00000000027DE000-memory.dmp

Filesize
120KB

Download
memory/652-98-0x000000001D030000-0x000000001D376000-memory.dmp

Filesize
3.3MB

Download
memory/652-108-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/652-100-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/652-103-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/652-123-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/652-107-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/652-104-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/652-105-0x000007FFFFF00000-0x000007FFFFF10000-memory.dmp

Filesize
64KB

Download
memory/652-106-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/1060-65-0x0000000001210000-0x0000000001218000-memory.dmp

Filesize
32KB

Download
memory/1060-64-0x0000000001220000-0x000000000122E000-memory.dmp

Filesize
56KB

Download
memory/1060-57-0x0000000000C10000-0x0000000000C2C000-memory.dmp

Filesize
112KB

Download
memory/1060-56-0x0000000000540000-0x000000000054E000-memory.dmp

Filesize
56KB

Download
memory/1060-60-0x00000000012D0000-0x0000000001326000-memory.dmp

Filesize
344KB

Download
memory/1060-61-0x0000000000C60000-0x0000000000C6C000-memory.dmp

Filesize
48KB

Download
memory/1060-59-0x0000000000C50000-0x0000000000C5A000-memory.dmp

Filesize
40KB

Download
memory/1060-54-0x0000000001350000-0x00000000015C8000-memory.dmp

Filesize
2.5MB

Download
memory/1060-55-0x000000001AEE0000-0x000000001AF60000-memory.dmp

Filesize
512KB

Download
memory/1060-62-0x0000000000C70000-0x0000000000C7C000-memory.dmp

Filesize
48KB

Download
memory/1060-63-0x0000000000C80000-0x0000000000C8C000-memory.dmp

Filesize
48KB

Download
memory/1060-58-0x0000000000C30000-0x0000000000C46000-memory.dmp

Filesize
88KB

Download
memory/1200-92-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1200-95-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1200-93-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1824-94-0x00000000009D0000-0x0000000000A50000-memory.dmp

Filesize
512KB

Download
memory/1824-96-0x00000000009D0000-0x0000000000A50000-memory.dmp

Filesize
512KB

Download
memory/1824-91-0x0000000001100000-0x0000000001378000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads