dcrat | 34be0ed06faf7cf7e8af122810e391dc4c09958bba1303a226103218b1c79710

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
27-07-2024 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AimWare.exe
Size

3.9MB
MD5

3fc02228a6229bc91c086bc24899361b
SHA1

3d33e93f771a1c77f2f01c2e15d52307f88d3bf0
SHA256

34be0ed06faf7cf7e8af122810e391dc4c09958bba1303a226103218b1c79710
SHA512

1dbaeaa5855fca79ddb44f0570e5e4282347919d1629d32a6df1f9bce0f198e38ebb461f68518754116a3fa650e6e4f9541ff09ca067b10218962c162fd7ef99
SSDEEP

98304:Vbbzx+3YGfZNMGFWmkukCbYvziRNPRmB58hSKHO:Vd+1RNXFWuksaf7

Score

10^/10

dcrat discovery evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	1824	schtasks.exe	33

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000014b6f-14.dat	dcrat
behavioral1/memory/2368-18-0x00000000010C0000-0x000000000146C000-memory.dmp	dcrat
behavioral1/memory/2412-69-0x00000000001B0000-0x000000000055C000-memory.dmp	dcrat
behavioral1/memory/2792-81-0x00000000013D0000-0x000000000177C000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion

Executes dropped EXE 4 IoCs

pid	Process
2368	Comref.exe
2412	services.exe
2792	services.exe
1060	services.exe

Loads dropped DLL 2 IoCs

pid	Process
2496	cmd.exe
2496	cmd.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Comref.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\cc11b995f2a76d	Comref.exe
File created	C:\Program Files (x86)\Windows Sidebar\Comref.exe	Comref.exe
File created	C:\Program Files\MSBuild\spoolsv.exe	Comref.exe
File created	C:\Program Files\MSBuild\f3b6ecef712a24	Comref.exe
File created	C:\Program Files (x86)\Windows Sidebar\de-DE\wininit.exe	Comref.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\winlogon.exe	Comref.exe
File created	C:\Program Files (x86)\Windows Sidebar\e13942d087a07a	Comref.exe
File created	C:\Program Files\7-Zip\Lang\conhost.exe	Comref.exe
File created	C:\Program Files\7-Zip\Lang\088424020bedd6	Comref.exe
File created	C:\Program Files (x86)\Windows Sidebar\de-DE\56085415360792	Comref.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\it-IT\conhost.exe	Comref.exe
File created	C:\Windows\it-IT\088424020bedd6	Comref.exe
File created	C:\Windows\addins\services.exe	Comref.exe
File created	C:\Windows\addins\c5b4cb5e9653cc	Comref.exe
File created	C:\Windows\PolicyDefinitions\de-DE\wscript.exe	Comref.exe
File created	C:\Windows\PolicyDefinitions\de-DE\817c8c8ec737a7	Comref.exe
File created	C:\Windows\it-IT\conhost.exe	Comref.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AimWare.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2984	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1664	schtasks.exe
800	schtasks.exe
2772	schtasks.exe
960	schtasks.exe
1784	schtasks.exe
2140	schtasks.exe
1616	schtasks.exe
2716	schtasks.exe
1864	schtasks.exe
2908	schtasks.exe
308	schtasks.exe
1320	schtasks.exe
2588	schtasks.exe
2052	schtasks.exe
2032	schtasks.exe
2100	schtasks.exe
2060	schtasks.exe
2808	schtasks.exe
576	schtasks.exe
840	schtasks.exe
1832	schtasks.exe
1068	schtasks.exe
408	schtasks.exe
2528	schtasks.exe
3012	schtasks.exe
964	schtasks.exe
2024	schtasks.exe
2840	schtasks.exe
1736	schtasks.exe
1036	schtasks.exe
2044	schtasks.exe
1376	schtasks.exe
1976	schtasks.exe
2128	schtasks.exe
1840	schtasks.exe
580	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2368	Comref.exe
2368	Comref.exe
2368	Comref.exe
2368	Comref.exe
2368	Comref.exe
2368	Comref.exe
2368	Comref.exe
2368	Comref.exe
2368	Comref.exe
2368	Comref.exe
2368	Comref.exe
2412	services.exe
2792	services.exe
1060	services.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2368	Comref.exe
Token: SeDebugPrivilege	2412	services.exe
Token: SeDebugPrivilege	2792	services.exe
Token: SeDebugPrivilege	1060	services.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 3036	1928	AimWare.exe	28
PID 1928 wrote to memory of 3036	1928	AimWare.exe	28
PID 1928 wrote to memory of 3036	1928	AimWare.exe	28
PID 1928 wrote to memory of 3036	1928	AimWare.exe	28
PID 1928 wrote to memory of 2696	1928	AimWare.exe	29
PID 1928 wrote to memory of 2696	1928	AimWare.exe	29
PID 1928 wrote to memory of 2696	1928	AimWare.exe	29
PID 1928 wrote to memory of 2696	1928	AimWare.exe	29
PID 3036 wrote to memory of 2496	3036	WScript.exe	30
PID 3036 wrote to memory of 2496	3036	WScript.exe	30
PID 3036 wrote to memory of 2496	3036	WScript.exe	30
PID 3036 wrote to memory of 2496	3036	WScript.exe	30
PID 2496 wrote to memory of 2368	2496	cmd.exe	32
PID 2496 wrote to memory of 2368	2496	cmd.exe	32
PID 2496 wrote to memory of 2368	2496	cmd.exe	32
PID 2496 wrote to memory of 2368	2496	cmd.exe	32
PID 2368 wrote to memory of 924	2368	Comref.exe	70
PID 2368 wrote to memory of 924	2368	Comref.exe	70
PID 2368 wrote to memory of 924	2368	Comref.exe	70
PID 2496 wrote to memory of 2984	2496	cmd.exe	72
PID 2496 wrote to memory of 2984	2496	cmd.exe	72
PID 2496 wrote to memory of 2984	2496	cmd.exe	72
PID 2496 wrote to memory of 2984	2496	cmd.exe	72
PID 924 wrote to memory of 2188	924	cmd.exe	73
PID 924 wrote to memory of 2188	924	cmd.exe	73
PID 924 wrote to memory of 2188	924	cmd.exe	73
PID 924 wrote to memory of 2412	924	cmd.exe	74
PID 924 wrote to memory of 2412	924	cmd.exe	74
PID 924 wrote to memory of 2412	924	cmd.exe	74
PID 2412 wrote to memory of 1724	2412	services.exe	75
PID 2412 wrote to memory of 1724	2412	services.exe	75
PID 2412 wrote to memory of 1724	2412	services.exe	75
PID 2412 wrote to memory of 2580	2412	services.exe	76
PID 2412 wrote to memory of 2580	2412	services.exe	76
PID 2412 wrote to memory of 2580	2412	services.exe	76
PID 1724 wrote to memory of 2792	1724	WScript.exe	79
PID 1724 wrote to memory of 2792	1724	WScript.exe	79
PID 1724 wrote to memory of 2792	1724	WScript.exe	79
PID 2792 wrote to memory of 2528	2792	services.exe	80
PID 2792 wrote to memory of 2528	2792	services.exe	80
PID 2792 wrote to memory of 2528	2792	services.exe	80
PID 2792 wrote to memory of 2008	2792	services.exe	81
PID 2792 wrote to memory of 2008	2792	services.exe	81
PID 2792 wrote to memory of 2008	2792	services.exe	81
PID 2528 wrote to memory of 1060	2528	WScript.exe	82
PID 2528 wrote to memory of 1060	2528	WScript.exe	82
PID 2528 wrote to memory of 1060	2528	WScript.exe	82
PID 1060 wrote to memory of 2084	1060	services.exe	83
PID 1060 wrote to memory of 2084	1060	services.exe	83
PID 1060 wrote to memory of 2084	1060	services.exe	83
PID 1060 wrote to memory of 2140	1060	services.exe	84
PID 1060 wrote to memory of 2140	1060	services.exe	84
PID 1060 wrote to memory of 2140	1060	services.exe	84

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\AimWare.exe
"C:\Users\Admin\AppData\Local\Temp\AimWare.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\BlockPortWinDhcp\pIqe6hsiC.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\BlockPortWinDhcp\RuejCowmnwM9YNHuglg.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\BlockPortWinDhcp\Comref.exe
      "C:\BlockPortWinDhcp\Comref.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2368
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TXzTWsAaM8.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:924
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2188
      - C:\Windows\addins\services.exe
        
        "C:\Windows\addins\services.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e70bae25-73e1-4af9-9dd8-4616c2b4f0d1.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\addins\services.exe
        
        C:\Windows\addins\services.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e042a7b-b41b-4ae1-a505-14ecc0ec8e2c.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\addins\services.exe
        
        C:\Windows\addins\services.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ac7f1a6-9576-4300-99e8-072918df4638.vbs"
        11⤵
        
        PID:2084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\080174ef-794a-4293-8660-d713754b78a0.vbs"
        11⤵
        
        PID:2140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f7d2914-d592-4f8f-92ae-312bd7daa747.vbs"
        9⤵
        
        PID:2008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d43977d7-aa05-4124-96a3-da8c61a9738d.vbs"
        7⤵
        
        PID:2580
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2984
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\BlockPortWinDhcp\file.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\it-IT\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\it-IT\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\it-IT\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\addins\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\addins\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\addins\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\BlockPortWinDhcp\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\BlockPortWinDhcp\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\BlockPortWinDhcp\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComrefC" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Comref.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Comref" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Comref.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComrefC" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Comref.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComrefC" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\Comref.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Comref" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\Comref.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComrefC" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\Comref.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\MSBuild\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 6 /tr "'C:\Windows\PolicyDefinitions\de-DE\wscript.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\de-DE\wscript.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 9 /tr "'C:\Windows\PolicyDefinitions\de-DE\wscript.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\BlockPortWinDhcp\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\BlockPortWinDhcp\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\BlockPortWinDhcp\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BlockPortWinDhcp\RuejCowmnwM9YNHuglg.bat

Filesize
144B

MD5
ce3dd3c96548149537e6d3a679917a26

SHA1
0faba6346d98fe426902f01be3337bdb700bb4fa

SHA256
3d7dfa7a908d3eef1344c70e6ea39e14dba844fcc727fc6b2d4f07f488303c7c

SHA512
7326f45903c3eca92bc3de0ee50f13042f3f6cc6494da0273ba65a53308ba63b7607ac7f6b27dba20e649717781fc90254173ffd837fd7d98f21aa211f3af23d

Download Submit
C:\BlockPortWinDhcp\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\BlockPortWinDhcp\pIqe6hsiC.vbe

Filesize
209B

MD5
fe9707d9d0f3a70f1672c83f8ab78cab

SHA1
4d25ca2d7b215e7757eec53b2c55060756cf3fc0

SHA256
e50eaf2ab143000660efab3e91bef57d2407c372820d022a10dac8c06e0c8e99

SHA512
fab4bbb58aa50e636fb553fc9d01fa69ad63fbdf7e7d677ed8b7b29838ed9525489d871af2e7c3b5b7e6afb34f79fb2ad7ef0897f4b8ad52d887c4ab096a84e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ac7f1a6-9576-4300-99e8-072918df4638.vbs

Filesize
706B

MD5
b9494a3fbae40661901e1ceb8a7ae14e

SHA1
10180369b80e0ce830a0b65c8ecbac1d3aa3a2a5

SHA256
5fc3681cd404120eb24afca10db1e30785a93eb3093f7e4ddaab389e7556d6f3

SHA512
503c9227699d03a352896853b9a49e7a94aa12c31c4685960e335efe93272a3544680fdd494328dd0d51b756a738571ab4dbb51bc6244a17a9181690a9c7f3a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e042a7b-b41b-4ae1-a505-14ecc0ec8e2c.vbs

Filesize
706B

MD5
4a24b0f6f8abfd9b1867f729cba76a50

SHA1
ce13fc37bcfcd146553d75fe2285d3c914e91319

SHA256
b3ec86ce773837bd4c6c98cbd8dfe8c650c2219751fbcf1bde92a7cb86916448

SHA512
aad2be69fe1317544d0516acb3c6e5d16c879c05a2c99dc9ce162707c9ab49b70a2ce6d63cbce99cbc793be38123161e3176738e8ca17294f56799cd1368fc64

Download Submit
C:\Users\Admin\AppData\Local\Temp\TXzTWsAaM8.bat

Filesize
195B

MD5
be47cb954a8f1a2e66cd8b09bf0d4d62

SHA1
987641b0f1a9cb0074b77f1ba14201ee466a8898

SHA256
f4124a39695595358299b9b356eaca42acab7aafe7737537b0d1beb6179e53fa

SHA512
0947df93c074ff27f91129c9b6eb17f33c0b18add9fd29bc4ee682fe17eeea111aa0bbd2a877704e350d080e794a123ec4a687a0eb7ff537f3f9d69009b1156f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d43977d7-aa05-4124-96a3-da8c61a9738d.vbs

Filesize
482B

MD5
f9b053f5e06aa81fe2a1cf8b9569cadd

SHA1
f82c4c795514c83686d9188dd10942c4f6bfd602

SHA256
0a04dc0623aac43af858897b9df8a9e9fb1bde19f40b92f874998a3ad847be97

SHA512
89180b18d954ef22d7643840db9b71853da50d49ff9ded2fceaea139169069637a3ddaf7e258fe655cf9be89a86aee8660633339c560941da288b8ab89c9e38d

Download Submit
C:\Users\Admin\AppData\Local\Temp\e70bae25-73e1-4af9-9dd8-4616c2b4f0d1.vbs

Filesize
706B

MD5
6f1f28216d78283fe0bb68908b0afe64

SHA1
8ffa09b2d68f7785361f7978ffa7fdc59f3fc278

SHA256
9223256c12d2c56471f1a76801a7e383a5efa56d6e00e660bef72ed9cf64a679

SHA512
ef37f20326ed3feaebdcb653b1e813a3e6062ebb772cd8e3747faf53e3c2aab945d00654cf84f13b79041093ca49bb687060c752182f98cf1fd4c1366695b012

Download Submit
\BlockPortWinDhcp\Comref.exe

Filesize
3.6MB

MD5
020fcee4acad7e7412ad0f27501ae749

SHA1
4282618cca56b75eb3921653c5daa2137eaa5ffa

SHA256
40ddad4ca2337022808328174ced0149caa955dcdf7a3b9eaf062818ffa43669

SHA512
e6c6749f7b8a67a5acc4910ccb59931582cb929392f7647f51d7d133cec3980375edc7d56be4d5cbac0f1d0ab1e46204b46b7349980aedaeb5a680a745fd7f9f

Download Submit
memory/1060-94-0x0000000000560000-0x0000000000572000-memory.dmp

Filesize
72KB

Download
memory/2368-22-0x0000000000B70000-0x0000000000B86000-memory.dmp

Filesize
88KB

Download
memory/2368-35-0x000000001AC00000-0x000000001AC08000-memory.dmp

Filesize
32KB

Download
memory/2368-26-0x0000000000D00000-0x0000000000D12000-memory.dmp

Filesize
72KB

Download
memory/2368-27-0x0000000000E30000-0x0000000000E38000-memory.dmp

Filesize
32KB

Download
memory/2368-28-0x0000000000E40000-0x0000000000E48000-memory.dmp

Filesize
32KB

Download
memory/2368-29-0x0000000001070000-0x00000000010C6000-memory.dmp

Filesize
344KB

Download
memory/2368-30-0x0000000000E50000-0x0000000000E58000-memory.dmp

Filesize
32KB

Download
memory/2368-31-0x0000000000E60000-0x0000000000E6A000-memory.dmp

Filesize
40KB

Download
memory/2368-32-0x0000000000E70000-0x0000000000E7E000-memory.dmp

Filesize
56KB

Download
memory/2368-33-0x0000000000E80000-0x0000000000E88000-memory.dmp

Filesize
32KB

Download
memory/2368-34-0x000000001ABF0000-0x000000001ABFE000-memory.dmp

Filesize
56KB

Download
memory/2368-25-0x0000000000BA0000-0x0000000000BAC000-memory.dmp

Filesize
48KB

Download
memory/2368-36-0x000000001AC20000-0x000000001AC2A000-memory.dmp

Filesize
40KB

Download
memory/2368-37-0x000000001AC30000-0x000000001AC3C000-memory.dmp

Filesize
48KB

Download
memory/2368-24-0x0000000000C30000-0x0000000000C86000-memory.dmp

Filesize
344KB

Download
memory/2368-18-0x00000000010C0000-0x000000000146C000-memory.dmp

Filesize
3.7MB

Download
memory/2368-19-0x0000000000550000-0x000000000055E000-memory.dmp

Filesize
56KB

Download
memory/2368-23-0x0000000000B90000-0x0000000000B9A000-memory.dmp

Filesize
40KB

Download
memory/2368-21-0x0000000000AC0000-0x0000000000AC8000-memory.dmp

Filesize
32KB

Download
memory/2368-20-0x0000000000560000-0x000000000057C000-memory.dmp

Filesize
112KB

Download
memory/2412-70-0x0000000002470000-0x00000000024C6000-memory.dmp

Filesize
344KB

Download
memory/2412-69-0x00000000001B0000-0x000000000055C000-memory.dmp

Filesize
3.7MB

Download
memory/2792-82-0x0000000001380000-0x00000000013D6000-memory.dmp

Filesize
344KB

Download
memory/2792-81-0x00000000013D0000-0x000000000177C000-memory.dmp

Filesize
3.7MB

Download