dcrat | b52eac71c2df2416b15d52213cd1a8481d75af55ef931337767e73f01a2f9175

Analysis

max time kernel
120s
max time network
127s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
21-10-2023 21:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
Size

1.1MB
MD5

7b6bc051fb67fe4b3426215ac69b01f0
SHA1

ab2b2afd7d31545ba6608db5a88a7340742255cf
SHA256

b52eac71c2df2416b15d52213cd1a8481d75af55ef931337767e73f01a2f9175
SHA512

f9a2536bbb520872620a1a8990646dd4eefcbc9cd647b78ce6496f2badcc47e32d25cc410d43f9056d5a0995cdb985b8975b38de6fc567572dafd81e44b96485
SSDEEP

12288:sl+4Tcyct/JWT7yckBlepmbMsBXYHOWyAh5+djVyKDGpiRe7FaS+ug82qGeJ3btK:xyc5JWackYm7dZ1Oq2nn2qPJ3btV3+f

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	3044	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	3044	schtasks.exe	28

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2028-0-0x0000000000E50000-0x0000000000F70000-memory.dmp	dcrat
behavioral1/files/0x00080000000161a5-17.dat	dcrat
behavioral1/memory/2028-123-0x0000000000A50000-0x0000000000AD0000-memory.dmp	dcrat
behavioral1/files/0x0009000000016c1d-171.dat	dcrat
behavioral1/files/0x0007000000016d77-209.dat	dcrat
behavioral1/files/0x0007000000017128-231.dat	dcrat
behavioral1/files/0x000700000001872a-240.dat	dcrat
behavioral1/files/0x0009000000016c1d-268.dat	dcrat
behavioral1/memory/2164-298-0x0000000000280000-0x00000000003A0000-memory.dmp	dcrat
behavioral1/files/0x0009000000016c1d-282.dat	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2164	audiodg.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\System.exe	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
File created	C:\Program Files (x86)\Windows Portable Devices\27d1bcfc3c54e0	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
File created	C:\Program Files (x86)\Internet Explorer\886983d96e3d3e	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\101b941d020240	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXD5B5.tmp	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCXE414.tmp	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\76929c0aeb971e	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCXCECC.tmp	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCXE377.tmp	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\smss.exe	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
File created	C:\Program Files (x86)\Internet Explorer\csrss.exe	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\lsm.exe	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\smss.exe	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCXCEDC.tmp	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
File created	C:\Program Files (x86)\Windows Mail\services.exe	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
File created	C:\Program Files (x86)\Windows Mail\c5b4cb5e9653cc	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXCB31.tmp	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\System.exe	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\services.exe	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\lsm.exe	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RCXE8F7.tmp	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RCXE907.tmp	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\69ddcba757bf72	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXCB32.tmp	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\csrss.exe	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\RCXD19B.tmp	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\RCXD19C.tmp	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXD5B6.tmp	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\security\database\smss.exe	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
File created	C:\Windows\Offline Web Pages\audiodg.exe	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
File created	C:\Windows\security\database\smss.exe	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
File opened for modification	C:\Windows\Offline Web Pages\RCXDEF1.tmp	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
File opened for modification	C:\Windows\Offline Web Pages\audiodg.exe	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
File opened for modification	C:\Windows\security\database\RCXE0F5.tmp	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
File opened for modification	C:\Windows\security\database\RCXE0F6.tmp	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
File created	C:\Windows\Offline Web Pages\42af1c969fbb7b	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
File created	C:\Windows\security\database\69ddcba757bf72	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
File created	C:\Windows\Speech\Common\es-ES\explorer.exe	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
File opened for modification	C:\Windows\Offline Web Pages\RCXDE74.tmp	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2900	schtasks.exe
2432	schtasks.exe
1248	schtasks.exe
2644	schtasks.exe
2852	schtasks.exe
1968	schtasks.exe
2404	schtasks.exe
1868	schtasks.exe
2800	schtasks.exe
1200	schtasks.exe
1948	schtasks.exe
2872	schtasks.exe
2756	schtasks.exe
2596	schtasks.exe
940	schtasks.exe
1568	schtasks.exe
2532	schtasks.exe
1904	schtasks.exe
2316	schtasks.exe
2296	schtasks.exe
2528	schtasks.exe
1636	schtasks.exe
1760	schtasks.exe
2400	schtasks.exe
2264	schtasks.exe
1680	schtasks.exe
1096	schtasks.exe
1704	schtasks.exe
2108	schtasks.exe
3000	schtasks.exe
1792	schtasks.exe
1732	schtasks.exe
2844	schtasks.exe
2160	schtasks.exe
1100	schtasks.exe
2172	schtasks.exe
924	schtasks.exe
684	schtasks.exe
2612	schtasks.exe
1556	schtasks.exe
2084	schtasks.exe
2712	schtasks.exe
1412	schtasks.exe
2256	schtasks.exe
2792	schtasks.exe
948	schtasks.exe
2864	schtasks.exe
2444	schtasks.exe
2784	schtasks.exe
1908	schtasks.exe
1612	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
1784	powershell.exe
1712	powershell.exe
2544	powershell.exe
2768	powershell.exe
1248	powershell.exe
2688	powershell.exe
3060	powershell.exe
2800	powershell.exe
2816	powershell.exe
2188	powershell.exe
1608	powershell.exe
2316	powershell.exe
2164	audiodg.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	2164	audiodg.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2188	2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe	82
PID 2028 wrote to memory of 2188	2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe	82
PID 2028 wrote to memory of 2188	2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe	82
PID 2028 wrote to memory of 2688	2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe	83
PID 2028 wrote to memory of 2688	2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe	83
PID 2028 wrote to memory of 2688	2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe	83
PID 2028 wrote to memory of 2800	2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe	84
PID 2028 wrote to memory of 2800	2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe	84
PID 2028 wrote to memory of 2800	2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe	84
PID 2028 wrote to memory of 2816	2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe	85
PID 2028 wrote to memory of 2816	2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe	85
PID 2028 wrote to memory of 2816	2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe	85
PID 2028 wrote to memory of 3060	2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe	86
PID 2028 wrote to memory of 3060	2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe	86
PID 2028 wrote to memory of 3060	2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe	86
PID 2028 wrote to memory of 2768	2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe	87
PID 2028 wrote to memory of 2768	2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe	87
PID 2028 wrote to memory of 2768	2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe	87
PID 2028 wrote to memory of 2316	2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe	88
PID 2028 wrote to memory of 2316	2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe	88
PID 2028 wrote to memory of 2316	2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe	88
PID 2028 wrote to memory of 2544	2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe	89
PID 2028 wrote to memory of 2544	2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe	89
PID 2028 wrote to memory of 2544	2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe	89
PID 2028 wrote to memory of 1712	2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe	90
PID 2028 wrote to memory of 1712	2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe	90
PID 2028 wrote to memory of 1712	2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe	90
PID 2028 wrote to memory of 1608	2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe	96
PID 2028 wrote to memory of 1608	2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe	96
PID 2028 wrote to memory of 1608	2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe	96
PID 2028 wrote to memory of 1784	2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe	95
PID 2028 wrote to memory of 1784	2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe	95
PID 2028 wrote to memory of 1784	2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe	95
PID 2028 wrote to memory of 1248	2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe	97
PID 2028 wrote to memory of 1248	2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe	97
PID 2028 wrote to memory of 1248	2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe	97
PID 2028 wrote to memory of 2164	2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe	106
PID 2028 wrote to memory of 2164	2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe	106
PID 2028 wrote to memory of 2164	2028	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe	106

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1248
- C:\Windows\Offline Web Pages\audiodg.exe
  "C:\Windows\Offline Web Pages\audiodg.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\c892d282-6fd3-11ee-8de2-cade5fbbb9e7\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\c892d282-6fd3-11ee-8de2-cade5fbbb9e7\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\c892d282-6fd3-11ee-8de2-cade5fbbb9e7\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NEAS.7b6bc051fb67fe4b3426215ac69b01f0N" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jdk1.7.0_80\NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NEAS.7b6bc051fb67fe4b3426215ac69b01f0" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NEAS.7b6bc051fb67fe4b3426215ac69b01f0N" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jdk1.7.0_80\NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\c892d282-6fd3-11ee-8de2-cade5fbbb9e7\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\c892d282-6fd3-11ee-8de2-cade5fbbb9e7\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\c892d282-6fd3-11ee-8de2-cade5fbbb9e7\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Windows\Offline Web Pages\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Windows\Offline Web Pages\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\security\database\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\security\database\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\security\database\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\c892d282-6fd3-11ee-8de2-cade5fbbb9e7\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\c892d282-6fd3-11ee-8de2-cade5fbbb9e7\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\c892d282-6fd3-11ee-8de2-cade5fbbb9e7\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe

Filesize
1.1MB

MD5
4fac0368e9d6e1c883ad3a7d88700794

SHA1
c88d24a6d62deafd4c2bcc5652f6eac367cf34c4

SHA256
c55bf425155cc8c15cac9d734b141ab02b98024802688bb3eb1e4c2072bec058

SHA512
85b927bbcf9e43226a798b05fe98703218caf0b399488fa45748812910aff03a68cf0271c348d3690671f2140832bae0b7ee663f26eda9dce320ca856ea884c4

Download Submit
C:\Program Files\Java\jdk1.7.0_80\NEAS.7b6bc051fb67fe4b3426215ac69b01f0.exe

Filesize
1.1MB

MD5
7b6bc051fb67fe4b3426215ac69b01f0

SHA1
ab2b2afd7d31545ba6608db5a88a7340742255cf

SHA256
b52eac71c2df2416b15d52213cd1a8481d75af55ef931337767e73f01a2f9175

SHA512
f9a2536bbb520872620a1a8990646dd4eefcbc9cd647b78ce6496f2badcc47e32d25cc410d43f9056d5a0995cdb985b8975b38de6fc567572dafd81e44b96485

Download Submit
C:\Recovery\c892d282-6fd3-11ee-8de2-cade5fbbb9e7\services.exe

Filesize
1.1MB

MD5
3d9d68eda01fba743f2f764c0fad6daa

SHA1
3002a87a1a36b1dfa369afdf1851d1406bd45e97

SHA256
c583d2843a92eb7830546b9be3c026d7bdf2aefbab30da8634475e7d70963864

SHA512
bcce01fd1f88d5f2dfce7c25ec89ab62f91fab1cc4aa0792a8e1fa641ea8365c8dceb418860ee0ecd70f84d2aeafc69380540117944fc9f063d283a461e23733

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2d726192d4f4561b0cbcc16675b48066

SHA1
4531a5322aa526261eff157e9462f72a1d47518b

SHA256
a8b8c6423f91cda4f67dff977eb14c26a74bd1da7ec4d9ebeae85d5be0d42887

SHA512
e4d4f08a82776f8ab6067ee46d9f4438edc5fabd812d2d42058b1f47fe052228007a1818c3252cbebc52b2faa6a4e632d301e85cf36f6b782ebaa22d7a9888c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2d726192d4f4561b0cbcc16675b48066

SHA1
4531a5322aa526261eff157e9462f72a1d47518b

SHA256
a8b8c6423f91cda4f67dff977eb14c26a74bd1da7ec4d9ebeae85d5be0d42887

SHA512
e4d4f08a82776f8ab6067ee46d9f4438edc5fabd812d2d42058b1f47fe052228007a1818c3252cbebc52b2faa6a4e632d301e85cf36f6b782ebaa22d7a9888c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2d726192d4f4561b0cbcc16675b48066

SHA1
4531a5322aa526261eff157e9462f72a1d47518b

SHA256
a8b8c6423f91cda4f67dff977eb14c26a74bd1da7ec4d9ebeae85d5be0d42887

SHA512
e4d4f08a82776f8ab6067ee46d9f4438edc5fabd812d2d42058b1f47fe052228007a1818c3252cbebc52b2faa6a4e632d301e85cf36f6b782ebaa22d7a9888c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2d726192d4f4561b0cbcc16675b48066

SHA1
4531a5322aa526261eff157e9462f72a1d47518b

SHA256
a8b8c6423f91cda4f67dff977eb14c26a74bd1da7ec4d9ebeae85d5be0d42887

SHA512
e4d4f08a82776f8ab6067ee46d9f4438edc5fabd812d2d42058b1f47fe052228007a1818c3252cbebc52b2faa6a4e632d301e85cf36f6b782ebaa22d7a9888c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2d726192d4f4561b0cbcc16675b48066

SHA1
4531a5322aa526261eff157e9462f72a1d47518b

SHA256
a8b8c6423f91cda4f67dff977eb14c26a74bd1da7ec4d9ebeae85d5be0d42887

SHA512
e4d4f08a82776f8ab6067ee46d9f4438edc5fabd812d2d42058b1f47fe052228007a1818c3252cbebc52b2faa6a4e632d301e85cf36f6b782ebaa22d7a9888c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2d726192d4f4561b0cbcc16675b48066

SHA1
4531a5322aa526261eff157e9462f72a1d47518b

SHA256
a8b8c6423f91cda4f67dff977eb14c26a74bd1da7ec4d9ebeae85d5be0d42887

SHA512
e4d4f08a82776f8ab6067ee46d9f4438edc5fabd812d2d42058b1f47fe052228007a1818c3252cbebc52b2faa6a4e632d301e85cf36f6b782ebaa22d7a9888c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2d726192d4f4561b0cbcc16675b48066

SHA1
4531a5322aa526261eff157e9462f72a1d47518b

SHA256
a8b8c6423f91cda4f67dff977eb14c26a74bd1da7ec4d9ebeae85d5be0d42887

SHA512
e4d4f08a82776f8ab6067ee46d9f4438edc5fabd812d2d42058b1f47fe052228007a1818c3252cbebc52b2faa6a4e632d301e85cf36f6b782ebaa22d7a9888c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2d726192d4f4561b0cbcc16675b48066

SHA1
4531a5322aa526261eff157e9462f72a1d47518b

SHA256
a8b8c6423f91cda4f67dff977eb14c26a74bd1da7ec4d9ebeae85d5be0d42887

SHA512
e4d4f08a82776f8ab6067ee46d9f4438edc5fabd812d2d42058b1f47fe052228007a1818c3252cbebc52b2faa6a4e632d301e85cf36f6b782ebaa22d7a9888c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2d726192d4f4561b0cbcc16675b48066

SHA1
4531a5322aa526261eff157e9462f72a1d47518b

SHA256
a8b8c6423f91cda4f67dff977eb14c26a74bd1da7ec4d9ebeae85d5be0d42887

SHA512
e4d4f08a82776f8ab6067ee46d9f4438edc5fabd812d2d42058b1f47fe052228007a1818c3252cbebc52b2faa6a4e632d301e85cf36f6b782ebaa22d7a9888c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X9WQUP1HNV3PFX2BFDVV.temp

Filesize
7KB

MD5
2d726192d4f4561b0cbcc16675b48066

SHA1
4531a5322aa526261eff157e9462f72a1d47518b

SHA256
a8b8c6423f91cda4f67dff977eb14c26a74bd1da7ec4d9ebeae85d5be0d42887

SHA512
e4d4f08a82776f8ab6067ee46d9f4438edc5fabd812d2d42058b1f47fe052228007a1818c3252cbebc52b2faa6a4e632d301e85cf36f6b782ebaa22d7a9888c5

Download Submit
C:\Users\Default\services.exe

Filesize
1.1MB

MD5
e82768feea7b2302a64e11a5ff1cff2e

SHA1
971d868935644060411476eff4af3e9176c3cfed

SHA256
f4f5cfaf0e9121c317500a4a8bd157d0e2152b0b523fdbe6a1a51796c25cbe48

SHA512
83844c900161513a60a3374726c9afdde63194c9df1c8b5ff3b06cccf2fd435486cba8c4befa2662c3cd9babed268c5b6d60b30ae00eb6cf4416667b48d23520

Download Submit
C:\Windows\Offline Web Pages\RCXDE74.tmp

Filesize
1.1MB

MD5
1a24d140cf55aefcc831da3d099fc744

SHA1
8371ea70a3865dcbd94dc773edfae6d5886113aa

SHA256
05e6fce1bdd6950bf512c8667b621aedad5886cb4b95f841e0c7e618eae7bd1b

SHA512
befac698e4bb7790f89ab6121031eb4cc04784253d4c2a0c08ad6f2791feececddbe064c45b40c3e85e2d6520e5ddc3e43d61c8010d3513d434bfe48176edb2d

Download Submit
C:\Windows\Offline Web Pages\audiodg.exe

Filesize
1.1MB

MD5
1a24d140cf55aefcc831da3d099fc744

SHA1
8371ea70a3865dcbd94dc773edfae6d5886113aa

SHA256
05e6fce1bdd6950bf512c8667b621aedad5886cb4b95f841e0c7e618eae7bd1b

SHA512
befac698e4bb7790f89ab6121031eb4cc04784253d4c2a0c08ad6f2791feececddbe064c45b40c3e85e2d6520e5ddc3e43d61c8010d3513d434bfe48176edb2d

Download Submit
C:\Windows\Offline Web Pages\audiodg.exe

Filesize
1.1MB

MD5
1a24d140cf55aefcc831da3d099fc744

SHA1
8371ea70a3865dcbd94dc773edfae6d5886113aa

SHA256
05e6fce1bdd6950bf512c8667b621aedad5886cb4b95f841e0c7e618eae7bd1b

SHA512
befac698e4bb7790f89ab6121031eb4cc04784253d4c2a0c08ad6f2791feececddbe064c45b40c3e85e2d6520e5ddc3e43d61c8010d3513d434bfe48176edb2d

Download Submit
memory/1248-338-0x000007FEEE300000-0x000007FEEEC9D000-memory.dmp

Filesize
9.6MB

Download
memory/1248-327-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/1248-357-0x00000000029CB000-0x0000000002A32000-memory.dmp

Filesize
412KB

Download
memory/1248-323-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/1248-322-0x000007FEEE300000-0x000007FEEEC9D000-memory.dmp

Filesize
9.6MB

Download
memory/1608-336-0x000007FEEE300000-0x000007FEEEC9D000-memory.dmp

Filesize
9.6MB

Download
memory/1608-348-0x000000000225B000-0x00000000022C2000-memory.dmp

Filesize
412KB

Download
memory/1608-343-0x0000000002254000-0x0000000002257000-memory.dmp

Filesize
12KB

Download
memory/1712-279-0x000007FEEE300000-0x000007FEEEC9D000-memory.dmp

Filesize
9.6MB

Download
memory/1712-278-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/1712-280-0x0000000002A80000-0x0000000002B00000-memory.dmp

Filesize
512KB

Download
memory/1712-257-0x000000001B3E0000-0x000000001B6C2000-memory.dmp

Filesize
2.9MB

Download
memory/1712-265-0x000007FEEE300000-0x000007FEEEC9D000-memory.dmp

Filesize
9.6MB

Download
memory/1712-320-0x0000000002A80000-0x0000000002B00000-memory.dmp

Filesize
512KB

Download
memory/1712-277-0x0000000002A80000-0x0000000002B00000-memory.dmp

Filesize
512KB

Download
memory/1712-342-0x000007FEEE300000-0x000007FEEEC9D000-memory.dmp

Filesize
9.6MB

Download
memory/1784-307-0x0000000002B60000-0x0000000002BE0000-memory.dmp

Filesize
512KB

Download
memory/1784-300-0x000007FEEE300000-0x000007FEEEC9D000-memory.dmp

Filesize
9.6MB

Download
memory/1784-354-0x000007FEEE300000-0x000007FEEEC9D000-memory.dmp

Filesize
9.6MB

Download
memory/1784-302-0x0000000002B60000-0x0000000002BE0000-memory.dmp

Filesize
512KB

Download
memory/1784-292-0x0000000002B60000-0x0000000002BE0000-memory.dmp

Filesize
512KB

Download
memory/2028-123-0x0000000000A50000-0x0000000000AD0000-memory.dmp

Filesize
512KB

Download
memory/2028-8-0x0000000000A40000-0x0000000000A4C000-memory.dmp

Filesize
48KB

Download
memory/2028-299-0x000007FEF5FE0000-0x000007FEF69CC000-memory.dmp

Filesize
9.9MB

Download
memory/2028-4-0x00000000004D0000-0x00000000004D8000-memory.dmp

Filesize
32KB

Download
memory/2028-5-0x00000000004E0000-0x00000000004F0000-memory.dmp

Filesize
64KB

Download
memory/2028-107-0x000007FEF5FE0000-0x000007FEF69CC000-memory.dmp

Filesize
9.9MB

Download
memory/2028-7-0x0000000000A30000-0x0000000000A3C000-memory.dmp

Filesize
48KB

Download
memory/2028-1-0x000007FEF5FE0000-0x000007FEF69CC000-memory.dmp

Filesize
9.9MB

Download
memory/2028-2-0x0000000000A50000-0x0000000000AD0000-memory.dmp

Filesize
512KB

Download
memory/2028-3-0x00000000004B0000-0x00000000004BE000-memory.dmp

Filesize
56KB

Download
memory/2028-6-0x00000000004F0000-0x00000000004FA000-memory.dmp

Filesize
40KB

Download
memory/2028-0-0x0000000000E50000-0x0000000000F70000-memory.dmp

Filesize
1.1MB

Download
memory/2164-298-0x0000000000280000-0x00000000003A0000-memory.dmp

Filesize
1.1MB

Download
memory/2164-328-0x000007FEF5FE0000-0x000007FEF69CC000-memory.dmp

Filesize
9.9MB

Download
memory/2188-350-0x00000000025CB000-0x0000000002632000-memory.dmp

Filesize
412KB

Download
memory/2316-352-0x00000000029BB000-0x0000000002A22000-memory.dmp

Filesize
412KB

Download
memory/2544-345-0x00000000028CB000-0x0000000002932000-memory.dmp

Filesize
412KB

Download
memory/2544-319-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2544-340-0x000007FEEE300000-0x000007FEEEC9D000-memory.dmp

Filesize
9.6MB

Download
memory/2544-318-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2544-317-0x000007FEEE300000-0x000007FEEEC9D000-memory.dmp

Filesize
9.6MB

Download
memory/2544-321-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2688-341-0x000007FEEE300000-0x000007FEEEC9D000-memory.dmp

Filesize
9.6MB

Download
memory/2688-346-0x00000000024AB000-0x0000000002512000-memory.dmp

Filesize
412KB

Download
memory/2768-326-0x0000000002790000-0x0000000002810000-memory.dmp

Filesize
512KB

Download
memory/2768-330-0x0000000002794000-0x0000000002797000-memory.dmp

Filesize
12KB

Download
memory/2768-325-0x0000000002790000-0x0000000002810000-memory.dmp

Filesize
512KB

Download
memory/2768-332-0x000007FEEE300000-0x000007FEEEC9D000-memory.dmp

Filesize
9.6MB

Download
memory/2768-324-0x000007FEEE300000-0x000007FEEEC9D000-memory.dmp

Filesize
9.6MB

Download
memory/2768-333-0x000000000279B000-0x0000000002802000-memory.dmp

Filesize
412KB

Download
memory/2800-337-0x0000000001E40000-0x0000000001EC0000-memory.dmp

Filesize
512KB

Download
memory/2800-331-0x0000000001E40000-0x0000000001EC0000-memory.dmp

Filesize
512KB

Download
memory/2800-355-0x0000000001E44000-0x0000000001E47000-memory.dmp

Filesize
12KB

Download
memory/2800-349-0x000007FEEE300000-0x000007FEEEC9D000-memory.dmp

Filesize
9.6MB

Download
memory/2800-335-0x0000000001E4B000-0x0000000001EB2000-memory.dmp

Filesize
412KB

Download
memory/2800-329-0x000007FEEE300000-0x000007FEEEC9D000-memory.dmp

Filesize
9.6MB

Download
memory/2800-334-0x000007FEEE300000-0x000007FEEEC9D000-memory.dmp

Filesize
9.6MB

Download
memory/2816-353-0x000000000249B000-0x0000000002502000-memory.dmp

Filesize
412KB

Download
memory/2816-347-0x0000000002494000-0x0000000002497000-memory.dmp

Filesize
12KB

Download
memory/2816-339-0x000007FEEE300000-0x000007FEEEC9D000-memory.dmp

Filesize
9.6MB

Download
memory/3060-351-0x000007FEEE300000-0x000007FEEEC9D000-memory.dmp

Filesize
9.6MB

Download
memory/3060-356-0x0000000002984000-0x0000000002987000-memory.dmp

Filesize
12KB

Download
memory/3060-344-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download