dcrat | 6fe3954e5bf41385b5002f96e4bab15545dee6ab4278c2d6455a65157f4e8e9f

Analysis

max time kernel
151s
max time network
156s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 07:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0c8a0a7c4e92809c7f8303d35d7f0d84.exe
Size

4.7MB
MD5

0c8a0a7c4e92809c7f8303d35d7f0d84
SHA1

9cebe3c7e1d1698edb7e512847b3d6e9846d7e52
SHA256

6fe3954e5bf41385b5002f96e4bab15545dee6ab4278c2d6455a65157f4e8e9f
SHA512

0544f9abf5a3105cf8229132fe839f4866a1b56f2ee16c8c06f450c549f6ba715f7b4a039a91207df6afa856a985e3e793945648546c1e93f82add6d9cae412a
SSDEEP

98304:Aqwf7ZW2WRBeGGj16dJKmyRN1vAsEVgqyu3OimIkJAr0S:Aqwfo2yUGbJKmEWQu3OYxr0S

Score

10^/10

dcrat credential_access discovery evasion infostealer persistence rat spyware stealer trojan

Malware Config

Signatures

DcRat 55 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2988	schtasks.exe
		2600	schtasks.exe
		2448	schtasks.exe
		2964	schtasks.exe
		2152	schtasks.exe
		2680	schtasks.exe
		700	schtasks.exe
		2088	schtasks.exe
		2024	schtasks.exe
		3052	schtasks.exe
		880	schtasks.exe
		2908	schtasks.exe
		1480	schtasks.exe
		2128	schtasks.exe
		2792	schtasks.exe
		2916	schtasks.exe
		812	schtasks.exe
		2520	schtasks.exe
		3032	schtasks.exe
		2912	schtasks.exe
		2884	schtasks.exe
		596	schtasks.exe
		1248	schtasks.exe
		2972	schtasks.exe
		2756	schtasks.exe
		848	schtasks.exe
		1908	schtasks.exe
		1684	schtasks.exe
		2900	schtasks.exe
		2584	schtasks.exe
		2692	schtasks.exe
		308	schtasks.exe
		2100	schtasks.exe
		2728	schtasks.exe
		2580	schtasks.exe
		1120	schtasks.exe
		2272	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language		midnight.exe
		1368	schtasks.exe
		2936	schtasks.exe
		2512	schtasks.exe
		680	schtasks.exe
		2196	schtasks.exe
		2516	schtasks.exe
		1384	schtasks.exe
		1960	schtasks.exe
		1488	schtasks.exe
		760	schtasks.exe
		1736	schtasks.exe
		2820	schtasks.exe
		2968	schtasks.exe
		2432	schtasks.exe
		1260	schtasks.exe
		1804	schtasks.exe
		2952	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 18 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\midni.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\Access\\Part\\dwm.exe\", \"C:\\HypercomComponentwebDhcp\\dwm.exe\", \"C:\\Windows\\SysWOW64\\Printing_Admin_Scripts\\es-ES\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\taskhost.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\Legal\\ENU\\csrss.exe\", \"C:\\HypercomComponentwebDhcp\\lsm.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\midni.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\HypercomComponentwebDhcp\\csrss.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\winlogon.exe\", \"C:\\HypercomComponentwebDhcp\\spoolsv.exe\""	perfdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\midni.exe\""	perfdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\midni.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\dwm.exe\""	perfdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\midni.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\Access\\Part\\dwm.exe\""	perfdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\midni.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\Access\\Part\\dwm.exe\", \"C:\\HypercomComponentwebDhcp\\dwm.exe\", \"C:\\Windows\\SysWOW64\\Printing_Admin_Scripts\\es-ES\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\taskhost.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\Legal\\ENU\\csrss.exe\", \"C:\\HypercomComponentwebDhcp\\lsm.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\midni.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\HypercomComponentwebDhcp\\csrss.exe\""	perfdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\midni.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\Access\\Part\\dwm.exe\", \"C:\\HypercomComponentwebDhcp\\dwm.exe\", \"C:\\Windows\\SysWOW64\\Printing_Admin_Scripts\\es-ES\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\taskhost.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\Legal\\ENU\\csrss.exe\", \"C:\\HypercomComponentwebDhcp\\lsm.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\midni.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\HypercomComponentwebDhcp\\csrss.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\winlogon.exe\""	perfdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\midni.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\Access\\Part\\dwm.exe\", \"C:\\HypercomComponentwebDhcp\\dwm.exe\""	perfdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\midni.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\Access\\Part\\dwm.exe\", \"C:\\HypercomComponentwebDhcp\\dwm.exe\", \"C:\\Windows\\SysWOW64\\Printing_Admin_Scripts\\es-ES\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsm.exe\""	perfdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\midni.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\Access\\Part\\dwm.exe\", \"C:\\HypercomComponentwebDhcp\\dwm.exe\", \"C:\\Windows\\SysWOW64\\Printing_Admin_Scripts\\es-ES\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\taskhost.exe\""	perfdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\midni.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\Access\\Part\\dwm.exe\", \"C:\\HypercomComponentwebDhcp\\dwm.exe\", \"C:\\Windows\\SysWOW64\\Printing_Admin_Scripts\\es-ES\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\taskhost.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\Legal\\ENU\\csrss.exe\""	perfdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\midni.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\Access\\Part\\dwm.exe\", \"C:\\HypercomComponentwebDhcp\\dwm.exe\", \"C:\\Windows\\SysWOW64\\Printing_Admin_Scripts\\es-ES\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\taskhost.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\Legal\\ENU\\csrss.exe\", \"C:\\HypercomComponentwebDhcp\\lsm.exe\""	perfdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\midni.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\Access\\Part\\dwm.exe\", \"C:\\HypercomComponentwebDhcp\\dwm.exe\", \"C:\\Windows\\SysWOW64\\Printing_Admin_Scripts\\es-ES\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\taskhost.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\Legal\\ENU\\csrss.exe\", \"C:\\HypercomComponentwebDhcp\\lsm.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\midni.exe\""	perfdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\midni.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\Access\\Part\\dwm.exe\", \"C:\\HypercomComponentwebDhcp\\dwm.exe\", \"C:\\Windows\\SysWOW64\\Printing_Admin_Scripts\\es-ES\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\taskhost.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\Legal\\ENU\\csrss.exe\", \"C:\\HypercomComponentwebDhcp\\lsm.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\midni.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\HypercomComponentwebDhcp\\csrss.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\winlogon.exe\", \"C:\\HypercomComponentwebDhcp\\spoolsv.exe\", \"C:\\Program Files\\Windows Photo Viewer\\de-DE\\smss.exe\""	perfdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\midni.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\Access\\Part\\dwm.exe\", \"C:\\HypercomComponentwebDhcp\\dwm.exe\", \"C:\\Windows\\SysWOW64\\Printing_Admin_Scripts\\es-ES\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\taskhost.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\Legal\\ENU\\csrss.exe\", \"C:\\HypercomComponentwebDhcp\\lsm.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\midni.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\HypercomComponentwebDhcp\\csrss.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\winlogon.exe\", \"C:\\HypercomComponentwebDhcp\\spoolsv.exe\", \"C:\\Program Files\\Windows Photo Viewer\\de-DE\\smss.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\lsm.exe\""	perfdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\midni.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\Access\\Part\\dwm.exe\", \"C:\\HypercomComponentwebDhcp\\dwm.exe\", \"C:\\Windows\\SysWOW64\\Printing_Admin_Scripts\\es-ES\\services.exe\""	perfdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\midni.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\Access\\Part\\dwm.exe\", \"C:\\HypercomComponentwebDhcp\\dwm.exe\", \"C:\\Windows\\SysWOW64\\Printing_Admin_Scripts\\es-ES\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\taskhost.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\""	perfdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\midni.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\Access\\Part\\dwm.exe\", \"C:\\HypercomComponentwebDhcp\\dwm.exe\", \"C:\\Windows\\SysWOW64\\Printing_Admin_Scripts\\es-ES\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\taskhost.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\Legal\\ENU\\csrss.exe\", \"C:\\HypercomComponentwebDhcp\\lsm.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\midni.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\OSPPSVC.exe\""	perfdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\midni.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\Access\\Part\\dwm.exe\", \"C:\\HypercomComponentwebDhcp\\dwm.exe\", \"C:\\Windows\\SysWOW64\\Printing_Admin_Scripts\\es-ES\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\taskhost.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\Legal\\ENU\\csrss.exe\", \"C:\\HypercomComponentwebDhcp\\lsm.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\midni.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\HypercomComponentwebDhcp\\csrss.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\winlogon.exe\", \"C:\\HypercomComponentwebDhcp\\spoolsv.exe\", \"C:\\Program Files\\Windows Photo Viewer\\de-DE\\smss.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\lsm.exe\", \"C:\\Program Files\\Uninstall Information\\explorer.exe\""	perfdll.exe

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	420	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	420	schtasks.exe	37

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	perfdll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	perfdll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	perfdll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d4d-6.dat	dcrat
behavioral1/files/0x0007000000016d60-41.dat	dcrat
behavioral1/memory/2832-45-0x00000000000D0000-0x00000000004A0000-memory.dmp	dcrat
behavioral1/memory/1176-108-0x0000000000240000-0x0000000000610000-memory.dmp	dcrat

Executes dropped EXE 6 IoCs

pid	Process
2696	midnight.exe
2804	midnight(.exe
2568	midni.exe
1184	Process not Found
2832	perfdll.exe
1176	spoolsv.exe

Loads dropped DLL 5 IoCs

pid	Process
1924	0c8a0a7c4e92809c7f8303d35d7f0d84.exe
2804	midnight(.exe
1184	Process not Found
928	cmd.exe
928	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\Legal\\ENU\\csrss.exe\""	perfdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\HypercomComponentwebDhcp\\csrss.exe\""	perfdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Photo Viewer\\de-DE\\smss.exe\""	perfdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\dwm.exe\""	perfdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\SysWOW64\\Printing_Admin_Scripts\\es-ES\\services.exe\""	perfdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\taskhost.exe\""	perfdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\OSPPSVC.exe\""	perfdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\winlogon.exe\""	perfdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\lsm.exe\""	perfdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\taskhost.exe\""	perfdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\HypercomComponentwebDhcp\\lsm.exe\""	perfdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Uninstall Information\\explorer.exe\""	perfdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\dwm.exe\""	perfdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\Access\\Part\\dwm.exe\""	perfdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\OSPPSVC.exe\""	perfdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\winlogon.exe\""	perfdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Photo Viewer\\de-DE\\smss.exe\""	perfdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\midni = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\midni.exe\""	perfdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\HypercomComponentwebDhcp\\dwm.exe\""	perfdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\midni = "\"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\midni.exe\""	perfdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\midni = "\"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\midni.exe\""	perfdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\HypercomComponentwebDhcp\\spoolsv.exe\""	perfdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\HypercomComponentwebDhcp\\spoolsv.exe\""	perfdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\lsm.exe\""	perfdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\midni = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\midni.exe\""	perfdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\""	perfdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsm.exe\""	perfdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsm.exe\""	perfdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Uninstall Information\\explorer.exe\""	perfdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\Access\\Part\\dwm.exe\""	perfdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\HypercomComponentwebDhcp\\dwm.exe\""	perfdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\SysWOW64\\Printing_Admin_Scripts\\es-ES\\services.exe\""	perfdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\""	perfdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\Legal\\ENU\\csrss.exe\""	perfdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\HypercomComponentwebDhcp\\lsm.exe\""	perfdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\HypercomComponentwebDhcp\\csrss.exe\""	perfdll.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	perfdll.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	perfdll.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\c5b4cb5e9653cc	perfdll.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\services.exe	perfdll.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\de-DE\69ddcba757bf72	perfdll.exe
File created	C:\Program Files\Uninstall Information\explorer.exe	perfdll.exe
File created	C:\Program Files\Uninstall Information\7a0fd90576e088	perfdll.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\dwm.exe	perfdll.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\6cb0b6c459d5d3	perfdll.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\csrss.exe	perfdll.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\886983d96e3d3e	perfdll.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\smss.exe	perfdll.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Performance\WinSAT\DataStore\lsm.exe	perfdll.exe
File created	C:\Windows\Performance\WinSAT\DataStore\101b941d020240	perfdll.exe
File created	C:\Windows\AppCompat\Programs\taskhost.exe	perfdll.exe
File created	C:\Windows\AppCompat\Programs\b75386f1303e64	perfdll.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	midnight.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2152	schtasks.exe
2820	schtasks.exe
1384	schtasks.exe
1684	schtasks.exe
1120	schtasks.exe
760	schtasks.exe
1368	schtasks.exe
596	schtasks.exe
2900	schtasks.exe
2728	schtasks.exe
2908	schtasks.exe
2024	schtasks.exe
2516	schtasks.exe
2520	schtasks.exe
2584	schtasks.exe
2128	schtasks.exe
1248	schtasks.exe
2692	schtasks.exe
2100	schtasks.exe
812	schtasks.exe
2936	schtasks.exe
2884	schtasks.exe
2756	schtasks.exe
2968	schtasks.exe
2916	schtasks.exe
2680	schtasks.exe
2988	schtasks.exe
1908	schtasks.exe
2448	schtasks.exe
2196	schtasks.exe
1480	schtasks.exe
2432	schtasks.exe
1260	schtasks.exe
1736	schtasks.exe
2964	schtasks.exe
3032	schtasks.exe
2088	schtasks.exe
2272	schtasks.exe
700	schtasks.exe
1488	schtasks.exe
2512	schtasks.exe
308	schtasks.exe
2952	schtasks.exe
2600	schtasks.exe
2972	schtasks.exe
880	schtasks.exe
3052	schtasks.exe
2580	schtasks.exe
1804	schtasks.exe
2792	schtasks.exe
680	schtasks.exe
2912	schtasks.exe
848	schtasks.exe
1960	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2832	perfdll.exe
2832	perfdll.exe
2832	perfdll.exe
1176	spoolsv.exe
1176	spoolsv.exe
1176	spoolsv.exe
1176	spoolsv.exe
1176	spoolsv.exe
1176	spoolsv.exe
1176	spoolsv.exe
1176	spoolsv.exe
1176	spoolsv.exe
1176	spoolsv.exe
1176	spoolsv.exe
1176	spoolsv.exe
1176	spoolsv.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1176	spoolsv.exe
2568	midni.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2832	perfdll.exe
Token: SeDebugPrivilege	1176	spoolsv.exe
Token: SeBackupPrivilege	2284	vssvc.exe
Token: SeRestorePrivilege	2284	vssvc.exe
Token: SeAuditPrivilege	2284	vssvc.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2696	1924	0c8a0a7c4e92809c7f8303d35d7f0d84.exe	30
PID 1924 wrote to memory of 2696	1924	0c8a0a7c4e92809c7f8303d35d7f0d84.exe	30
PID 1924 wrote to memory of 2696	1924	0c8a0a7c4e92809c7f8303d35d7f0d84.exe	30
PID 1924 wrote to memory of 2696	1924	0c8a0a7c4e92809c7f8303d35d7f0d84.exe	30
PID 1924 wrote to memory of 2804	1924	0c8a0a7c4e92809c7f8303d35d7f0d84.exe	31
PID 1924 wrote to memory of 2804	1924	0c8a0a7c4e92809c7f8303d35d7f0d84.exe	31
PID 1924 wrote to memory of 2804	1924	0c8a0a7c4e92809c7f8303d35d7f0d84.exe	31
PID 2696 wrote to memory of 2756	2696	midnight.exe	32
PID 2696 wrote to memory of 2756	2696	midnight.exe	32
PID 2696 wrote to memory of 2756	2696	midnight.exe	32
PID 2696 wrote to memory of 2756	2696	midnight.exe	32
PID 2804 wrote to memory of 2568	2804	midnight(.exe	33
PID 2804 wrote to memory of 2568	2804	midnight(.exe	33
PID 2804 wrote to memory of 2568	2804	midnight(.exe	33
PID 2756 wrote to memory of 928	2756	WScript.exe	34
PID 2756 wrote to memory of 928	2756	WScript.exe	34
PID 2756 wrote to memory of 928	2756	WScript.exe	34
PID 2756 wrote to memory of 928	2756	WScript.exe	34
PID 928 wrote to memory of 2832	928	cmd.exe	36
PID 928 wrote to memory of 2832	928	cmd.exe	36
PID 928 wrote to memory of 2832	928	cmd.exe	36
PID 928 wrote to memory of 2832	928	cmd.exe	36
PID 2832 wrote to memory of 1176	2832	perfdll.exe	92
PID 2832 wrote to memory of 1176	2832	perfdll.exe	92
PID 2832 wrote to memory of 1176	2832	perfdll.exe	92
PID 1176 wrote to memory of 264	1176	spoolsv.exe	93
PID 1176 wrote to memory of 264	1176	spoolsv.exe	93
PID 1176 wrote to memory of 264	1176	spoolsv.exe	93
PID 1176 wrote to memory of 1600	1176	spoolsv.exe	94
PID 1176 wrote to memory of 1600	1176	spoolsv.exe	94
PID 1176 wrote to memory of 1600	1176	spoolsv.exe	94

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	perfdll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	perfdll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	perfdll.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0c8a0a7c4e92809c7f8303d35d7f0d84.exe
"C:\Users\Admin\AppData\Local\Temp\0c8a0a7c4e92809c7f8303d35d7f0d84.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Local\Temp\midnight.exe
  "C:\Users\Admin\AppData\Local\Temp\midnight.exe"
  2⤵
  - DcRat
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\HypercomComponentwebDhcp\A8jWJusTtraIk1b59.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\HypercomComponentwebDhcp\IEwUUYV5m7a4xMEXWiWnecp.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:928
    - - C:\HypercomComponentwebDhcp\perfdll.exe
        
        "C:\HypercomComponentwebDhcp\perfdll.exe"
        5⤵
        Modifies WinLogon for persistence
        UAC bypass
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2832
      - C:\HypercomComponentwebDhcp\spoolsv.exe
        
        "C:\HypercomComponentwebDhcp\spoolsv.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a25e440a-54d0-4f81-b4d5-04610e7a6a73.vbs"
        7⤵
        
        PID:264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67ede3f2-a198-4102-9b48-2bf83f4902fd.vbs"
        7⤵
        
        PID:1600
- C:\Users\Admin\AppData\Local\Temp\midnight(.exe
  "C:\Users\Admin\AppData\Local\Temp\midnight(.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Users\Admin\AppData\Local\Temp\midni.exe
    "C:\Users\Admin\AppData\Local\Temp\midni.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "midnim" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\midni.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "midni" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\midni.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "midnim" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\midni.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\HypercomComponentwebDhcp\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\HypercomComponentwebDhcp\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\HypercomComponentwebDhcp\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\AppCompat\Programs\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Windows\AppCompat\Programs\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\HypercomComponentwebDhcp\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\HypercomComponentwebDhcp\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\HypercomComponentwebDhcp\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "midnim" /sc MINUTE /mo 6 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\midni.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "midni" /sc ONLOGON /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\midni.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "midnim" /sc MINUTE /mo 10 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\midni.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\HypercomComponentwebDhcp\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\HypercomComponentwebDhcp\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\HypercomComponentwebDhcp\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\HypercomComponentwebDhcp\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\HypercomComponentwebDhcp\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\HypercomComponentwebDhcp\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\Performance\WinSAT\DataStore\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\Performance\WinSAT\DataStore\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\HypercomComponentwebDhcp\A8jWJusTtraIk1b59.vbe

Filesize
224B

MD5
6c5a0d3f80c0a3ccc9e69824da951da6

SHA1
a3a7ef9cedf3207f696a712b6773e3a55608fbf5

SHA256
1aab80069c559cf05aae781ab6b09861f47b25948c184b67ab4b58e424c73164

SHA512
3cc1d7f36ce30f8897aa4b82f33ac9abb49d35959286e5e724db8ce747e6ebe85b7c2b093d1ec02c7f09eb2f92b897583a633b79f5420f3badb63cc0a76b1d98

Download Submit
C:\HypercomComponentwebDhcp\IEwUUYV5m7a4xMEXWiWnecp.bat

Filesize
41B

MD5
07f925c0394c46462aeaa6013fe6d7da

SHA1
9ae646616e4327c36f299e04b187d79bb647b941

SHA256
d4b56955063bb1daba53886eb017780e68b76494a82d70f97a30a8281adc63f5

SHA512
c6741fbd27f4cdb112e9d6d17e5a4b26f9f88329d0eda829c9270f0eea49e221ab2839a40ecca87585822bfffb490d1624cab17e7c2332e3ba933a511f3babac

Download Submit
C:\Users\Admin\AppData\Local\Temp\67ede3f2-a198-4102-9b48-2bf83f4902fd.vbs

Filesize
491B

MD5
c606e15c6010ff032b0689d100dc67e1

SHA1
b4eb7e4b1a8044d0b42548927ddddcabcf6b113a

SHA256
9636779ac33d38901bb6c08c2ae46a64d85884ac709f0df52201252571ba7125

SHA512
c9d9a1814a96519924a6a0b9152fcdb4d73738e321cf3890ea6fffcf1715a201557e2eed0aa5e60c99fd33974a5563bc255e1389a22e7c1531fc629be2dc52eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\a25e440a-54d0-4f81-b4d5-04610e7a6a73.vbs

Filesize
715B

MD5
e80935e3e616a032889bcff1f888e20f

SHA1
979fafd9768e0f80968daa75bee3ceba2422945b

SHA256
e98667f919f206c3134f7f17b1bc61e384e1b40a38847907766ddf7cb7784868

SHA512
82708431895ca1e7989023d457c29b8caefbe04e6653e103711321a377c23eff4b3b8e3c34e690b897d561d75c56c0e451fa1d26150718db522dc9cdc0a323d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\midnight.exe

Filesize
4.3MB

MD5
9b1ed067e43e0489a444b5135892f7f3

SHA1
ba6e2e07354fa47aa51160ac61de38bb5cefad03

SHA256
16600f1ac5b9c2fc43a08bfd25c590c382d14e3d1dd0c9b94665cffc0576bd60

SHA512
ee41ed8b5f54150f034f4f6dff7bfdbb5ba4e7027615732522ca5fedaeb77f6ef5c2e8e8dea30bf6ef0a82fab2cfb08951981e198435a9e76c2b91def34d5954

Download Submit
\HypercomComponentwebDhcp\perfdll.exe

Filesize
3.8MB

MD5
c8797d5297a13335c183f189c1823fdc

SHA1
83331054936284e390b5a767f624a894269bf1d1

SHA256
9bbc7eed5281b551203971ede8fd2b4c7cb88fe04312185d1b61b9e4b329b329

SHA512
a998016377ee89a0df1f9202be0b4990ec48421f2abc3d8f17abf1452188710e7b4e4f07e9148f99960db33c9801169414538a78abcfc29df84ea287ac573954

Download Submit
\Users\Admin\AppData\Local\Temp\midni.exe

Filesize
139KB

MD5
09897385b47bb55ce7f5061aa8003b22

SHA1
c323db05bd880abc58d4ed022dd915ab9b37fbbe

SHA256
3e957a0600ee257e2e680ada269b1bb505b4f25227c9c81faa39f56c6b179302

SHA512
fcd90430236d4a282961a3d9e8682847d782d49b49c5b42df7132747a0e06bd727356f8d8b6d5165f902e62e2a6b7779f9e9c475c50b5a512ab20530c758e23e

Download Submit
\Users\Admin\AppData\Local\Temp\midnight(.exe

Filesize
1.2MB

MD5
bdfb80b2bb0b0410356d7cdac628d9b2

SHA1
33342b297d6804d49e2efbf6c0b05d6768787eff

SHA256
503671ec90772706cb8e949a9056c948e09c5bb99599efff67d27b900d1fae21

SHA512
c1eed4bea24d408c530632eb63f363264b7b774dcec0136d97735f1278544c1c3532f9f14421c7fe6de5b03472fad9e0694f0f4c92b73afc48b49fca4a9ebe1e

Download Submit
memory/1176-109-0x0000000002450000-0x00000000024A6000-memory.dmp

Filesize
344KB

Download
memory/1176-108-0x0000000000240000-0x0000000000610000-memory.dmp

Filesize
3.8MB

Download
memory/2832-53-0x0000000002260000-0x000000000226A000-memory.dmp

Filesize
40KB

Download
memory/2832-60-0x000000001B0F0000-0x000000001B0FA000-memory.dmp

Filesize
40KB

Download
memory/2832-51-0x0000000000A10000-0x0000000000A26000-memory.dmp

Filesize
88KB

Download
memory/2832-52-0x0000000000980000-0x000000000098C000-memory.dmp

Filesize
48KB

Download
memory/2832-49-0x0000000000740000-0x000000000075C000-memory.dmp

Filesize
112KB

Download
memory/2832-54-0x000000001A910000-0x000000001A966000-memory.dmp

Filesize
344KB

Download
memory/2832-55-0x00000000022F0000-0x00000000022FC000-memory.dmp

Filesize
48KB

Download
memory/2832-56-0x0000000002300000-0x0000000002312000-memory.dmp

Filesize
72KB

Download
memory/2832-57-0x000000001AFD0000-0x000000001AFDC000-memory.dmp

Filesize
48KB

Download
memory/2832-58-0x000000001B080000-0x000000001B088000-memory.dmp

Filesize
32KB

Download
memory/2832-59-0x000000001B0E0000-0x000000001B0E8000-memory.dmp

Filesize
32KB

Download
memory/2832-50-0x0000000000970000-0x0000000000978000-memory.dmp

Filesize
32KB

Download
memory/2832-61-0x000000001B180000-0x000000001B18E000-memory.dmp

Filesize
56KB

Download
memory/2832-62-0x000000001B190000-0x000000001B198000-memory.dmp

Filesize
32KB

Download
memory/2832-63-0x000000001B1A0000-0x000000001B1AE000-memory.dmp

Filesize
56KB

Download
memory/2832-64-0x000000001B2C0000-0x000000001B2CA000-memory.dmp

Filesize
40KB

Download
memory/2832-65-0x000000001B2D0000-0x000000001B2DC000-memory.dmp

Filesize
48KB

Download
memory/2832-48-0x0000000000730000-0x0000000000738000-memory.dmp

Filesize
32KB

Download
memory/2832-47-0x00000000006A0000-0x00000000006AE000-memory.dmp

Filesize
56KB

Download
memory/2832-46-0x0000000000690000-0x000000000069E000-memory.dmp

Filesize
56KB

Download
memory/2832-45-0x00000000000D0000-0x00000000004A0000-memory.dmp

Filesize
3.8MB

Download