dcrat | 408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b

General

Target

408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Size

2.7MB
MD5

2317326f5c2ec4b53d5071d19f1a5690
SHA1

384f47f21bd2dc1a67b80a5dcee9430f43bee08b
SHA256

408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b
SHA512

98719abb8a334d96ecbd56450d2f55bd15a830ffb1ac516c79c0028f66f348f6b7389f5caf197615e0cd56a353299054ddc5159eb77b1f83c411012a9ac9b246
SSDEEP

49152:qH64y2XDuLlIY14o9/yDzr1xJ8XbRrC9mWvR08Yv7yP3GcY:qHfE5Ad8Xd295UmGc

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 10 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\sppsvc.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Windows\\Fonts\\spoolsv.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Windows\\Fonts\\spoolsv.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\services.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Windows\\Fonts\\spoolsv.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\services.exe\", \"C:\\MSOCache\\All Users\\services.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Windows\\Fonts\\spoolsv.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\services.exe\", \"C:\\MSOCache\\All Users\\services.exe\", \"C:\\Program Files\\7-Zip\\Lang\\csrss.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Windows\\Fonts\\spoolsv.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\services.exe\", \"C:\\MSOCache\\All Users\\services.exe\", \"C:\\Program Files\\7-Zip\\Lang\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\audiodg.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Windows\\Fonts\\spoolsv.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\services.exe\", \"C:\\MSOCache\\All Users\\services.exe\", \"C:\\Program Files\\7-Zip\\Lang\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\audiodg.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\fr-FR\\sppsvc.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\smss.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\sppsvc.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Windows\\Fonts\\spoolsv.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\services.exe\", \"C:\\MSOCache\\All Users\\services.exe\", \"C:\\Program Files\\7-Zip\\Lang\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\audiodg.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\fr-FR\\sppsvc.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Windows\\Fonts\\spoolsv.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\services.exe\", \"C:\\MSOCache\\All Users\\services.exe\", \"C:\\Program Files\\7-Zip\\Lang\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\audiodg.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\fr-FR\\sppsvc.exe\", \"C:\\Users\\Default User\\lsm.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	2464	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exesppsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/856-1-0x0000000000920000-0x0000000000BE0000-memory.dmp	dcrat
C:\MSOCache\All Users\services.exe	dcrat
C:\Program Files (x86)\Windows NT\Accessories\fr-FR\RCX2AB1.tmp	dcrat
C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe	dcrat
behavioral1/memory/2848-128-0x0000000001040000-0x0000000001300000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2852 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

sppsvc.exe

pid process

2848 sppsvc.exe

pid	process
2852	powershell.exe

pid	process
2848	sppsvc.exe

Adds Run key to start application 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\services.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\services.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\7-Zip\\Lang\\csrss.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\fr-FR\\sppsvc.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\Default User\\lsm.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\services.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\sppsvc.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\7-Zip\\Lang\\csrss.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\sppsvc.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\sppsvc.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\Fonts\\spoolsv.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\services.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files (x86)\\Microsoft Office\\audiodg.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\Default User\\lsm.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\smss.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\sppsvc.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files (x86)\\Microsoft Office\\audiodg.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\fr-FR\\sppsvc.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\smss.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\Fonts\\spoolsv.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exesppsvc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe

Drops file in Program Files directory 20 IoCs

Processes:

408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\services.exe	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\audiodg.exe	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\fr-FR\RCX2AB1.tmp	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\RCX28AD.tmp	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\69ddcba757bf72	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\csrss.exe	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\fr-FR\sppsvc.exe	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCX26A9.tmp	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\fr-FR\sppsvc.exe	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX2F93.tmp	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File created	C:\Program Files\7-Zip\Lang\csrss.exe	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File created	C:\Program Files\7-Zip\Lang\886983d96e3d3e	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File created	C:\Program Files (x86)\Microsoft Office\audiodg.exe	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\RCX22A2.tmp	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\services.exe	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\c5b4cb5e9653cc	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File created	C:\Program Files (x86)\Microsoft Office\42af1c969fbb7b	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\fr-FR\0a1fd5f707cd16	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe

Drops file in Windows directory 5 IoCs

Processes:

408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe

description	ioc	process
File opened for modification	C:\Windows\Fonts\spoolsv.exe	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File created	C:\Windows\Fonts\spoolsv.exe	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File created	C:\Windows\Fonts\f3b6ecef712a24	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File created	C:\Windows\servicing\en-US\services.exe	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File opened for modification	C:\Windows\Fonts\RCX2031.tmp	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1532	schtasks.exe
880	schtasks.exe
2292	schtasks.exe
2784	schtasks.exe
816	schtasks.exe
2760	schtasks.exe
1648	schtasks.exe
1180	schtasks.exe
2376	schtasks.exe
644	schtasks.exe
2456	schtasks.exe
2488	schtasks.exe
2172	schtasks.exe
1640	schtasks.exe
1600	schtasks.exe
1456	schtasks.exe
2644	schtasks.exe
2440	schtasks.exe
1328	schtasks.exe
2712	schtasks.exe
2576	schtasks.exe
1824	schtasks.exe
2764	schtasks.exe
2276	schtasks.exe
2052	schtasks.exe
2108	schtasks.exe
2316	schtasks.exe
3056	schtasks.exe
1628	schtasks.exe
2268	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

sppsvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	sppsvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exepowershell.exesppsvc.exe

pid	process
856	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
856	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
856	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
856	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
856	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
856	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
856	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
856	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
856	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
856	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
856	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
856	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
856	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
856	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
856	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
856	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
856	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
856	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
856	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
856	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
856	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
856	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
856	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
856	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
856	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
856	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
856	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
856	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
856	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
856	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
856	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
2852	powershell.exe
2848	sppsvc.exe
2848	sppsvc.exe
2848	sppsvc.exe
2848	sppsvc.exe
2848	sppsvc.exe
2848	sppsvc.exe
2848	sppsvc.exe
2848	sppsvc.exe
2848	sppsvc.exe
2848	sppsvc.exe
2848	sppsvc.exe
2848	sppsvc.exe
2848	sppsvc.exe
2848	sppsvc.exe
2848	sppsvc.exe
2848	sppsvc.exe
2848	sppsvc.exe
2848	sppsvc.exe
2848	sppsvc.exe
2848	sppsvc.exe
2848	sppsvc.exe
2848	sppsvc.exe
2848	sppsvc.exe
2848	sppsvc.exe
2848	sppsvc.exe
2848	sppsvc.exe
2848	sppsvc.exe
2848	sppsvc.exe
2848	sppsvc.exe
2848	sppsvc.exe
2848	sppsvc.exe
2848	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exepowershell.exesppsvc.exe

description	pid	process
Token: SeDebugPrivilege	856	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	2848	sppsvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe

description	pid	process	target process
PID 856 wrote to memory of 2852	856	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe	powershell.exe
PID 856 wrote to memory of 2852	856	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe	powershell.exe
PID 856 wrote to memory of 2852	856	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe	powershell.exe
PID 856 wrote to memory of 2848	856	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe	sppsvc.exe
PID 856 wrote to memory of 2848	856	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe	sppsvc.exe
PID 856 wrote to memory of 2848	856	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe	sppsvc.exe
PID 856 wrote to memory of 2848	856	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe	sppsvc.exe
PID 856 wrote to memory of 2848	856	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe	sppsvc.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exesppsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
"C:\Users\Admin\AppData\Local\Temp\408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2852
- C:\Program Files (x86)\Windows NT\Accessories\fr-FR\sppsvc.exe
  "C:\Program Files (x86)\Windows NT\Accessories\fr-FR\sppsvc.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\Fonts\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Fonts\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\services.exe

Filesize
2.7MB

MD5
2317326f5c2ec4b53d5071d19f1a5690

SHA1
384f47f21bd2dc1a67b80a5dcee9430f43bee08b

SHA256
408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b

SHA512
98719abb8a334d96ecbd56450d2f55bd15a830ffb1ac516c79c0028f66f348f6b7389f5caf197615e0cd56a353299054ddc5159eb77b1f83c411012a9ac9b246

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe

Filesize
2.7MB

MD5
35d970a4ba7fa62a9e5347aa61494b1c

SHA1
5d276a8fb31c1d2b488cb573ef24db0d2949698d

SHA256
99ae0ea315d41bdb1c7ec63a1377bc8f6e5f3d14e8412f7a696ffcbcad604721

SHA512
fbf8b9ae31523bd0c46d68fe8156618887929545e637e069cc50f11a9ceb25cc03ed0c7681011aa626dcef9d84934a5bec906be0dacba889a10c61686e4ff851

Download Submit
C:\Program Files (x86)\Windows NT\Accessories\fr-FR\RCX2AB1.tmp

Filesize
2.7MB

MD5
24018cec411313a224b14755f9a892ca

SHA1
e25bb46195a0ac8d7e6ceaaacb31ef4b2fda1801

SHA256
1737c3c6699c5b0af8bd8eaf9c625cf5f0dfd01a7718e458c869bfbbb7f5dbe4

SHA512
b5eb3360f9dd0460790227f2dd881ab431bc9750280e3b122813e2f5e60dcc9c84e738824cfcba78eeffd37adaa602a1fb288092f03afa4c43ef1b1277ccd177

Download Submit
memory/856-17-0x000000001ADF0000-0x000000001ADFC000-memory.dmp

Filesize
48KB

Download
memory/856-129-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

Filesize
9.9MB

Download
memory/856-16-0x000000001ADE0000-0x000000001ADE8000-memory.dmp

Filesize
32KB

Download
memory/856-6-0x00000000004D0000-0x00000000004E0000-memory.dmp

Filesize
64KB

Download
memory/856-7-0x0000000000900000-0x0000000000916000-memory.dmp

Filesize
88KB

Download
memory/856-8-0x0000000002170000-0x0000000002178000-memory.dmp

Filesize
32KB

Download
memory/856-10-0x00000000021A0000-0x00000000021B0000-memory.dmp

Filesize
64KB

Download
memory/856-9-0x0000000002180000-0x0000000002188000-memory.dmp

Filesize
32KB

Download
memory/856-11-0x0000000002190000-0x000000000219A000-memory.dmp

Filesize
40KB

Download
memory/856-12-0x000000001AD90000-0x000000001ADE6000-memory.dmp

Filesize
344KB

Download
memory/856-13-0x00000000023C0000-0x00000000023C8000-memory.dmp

Filesize
32KB

Download
memory/856-14-0x00000000023D0000-0x00000000023D8000-memory.dmp

Filesize
32KB

Download
memory/856-15-0x00000000023E0000-0x00000000023EC000-memory.dmp

Filesize
48KB

Download
memory/856-0-0x000007FEF5A13000-0x000007FEF5A14000-memory.dmp

Filesize
4KB

Download
memory/856-5-0x00000000004C0000-0x00000000004C8000-memory.dmp

Filesize
32KB

Download
memory/856-19-0x000000001AE10000-0x000000001AE18000-memory.dmp

Filesize
32KB

Download
memory/856-4-0x00000000004A0000-0x00000000004BC000-memory.dmp

Filesize
112KB

Download
memory/856-20-0x000000001AE20000-0x000000001AE28000-memory.dmp

Filesize
32KB

Download
memory/856-21-0x000000001AE30000-0x000000001AE3C000-memory.dmp

Filesize
48KB

Download
memory/856-22-0x000000001AE40000-0x000000001AE4C000-memory.dmp

Filesize
48KB

Download
memory/856-24-0x000000001AE60000-0x000000001AE6A000-memory.dmp

Filesize
40KB

Download
memory/856-26-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

Filesize
9.9MB

Download
memory/856-25-0x000000001AE70000-0x000000001AE7C000-memory.dmp

Filesize
48KB

Download
memory/856-23-0x000000001AE50000-0x000000001AE58000-memory.dmp

Filesize
32KB

Download
memory/856-3-0x00000000003D0000-0x00000000003D8000-memory.dmp

Filesize
32KB

Download
memory/856-2-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

Filesize
9.9MB

Download
memory/856-1-0x0000000000920000-0x0000000000BE0000-memory.dmp

Filesize
2.8MB

Download
memory/856-18-0x000000001AE00000-0x000000001AE0C000-memory.dmp

Filesize
48KB

Download
memory/2848-128-0x0000000001040000-0x0000000001300000-memory.dmp

Filesize
2.8MB

Download
memory/2852-127-0x00000000029A0000-0x00000000029A8000-memory.dmp

Filesize
32KB

Download
memory/2852-126-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads