dcrat | 34be0ed06faf7cf7e8af122810e391dc4c09958bba1303a226103218b1c79710

Analysis

max time kernel
146s
max time network
145s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
27-07-2024 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AimWare.exe
Size

3.9MB
MD5

3fc02228a6229bc91c086bc24899361b
SHA1

3d33e93f771a1c77f2f01c2e15d52307f88d3bf0
SHA256

34be0ed06faf7cf7e8af122810e391dc4c09958bba1303a226103218b1c79710
SHA512

1dbaeaa5855fca79ddb44f0570e5e4282347919d1629d32a6df1f9bce0f198e38ebb461f68518754116a3fa650e6e4f9541ff09ca067b10218962c162fd7ef99
SSDEEP

98304:Vbbzx+3YGfZNMGFWmkukCbYvziRNPRmB58hSKHO:Vd+1RNXFWuksaf7

Score

10^/10

dcrat discovery evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2608	schtasks.exe

UAC bypass 3 TTPs 24 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

winlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exeComref.exewinlogon.exewinlogon.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\BlockPortWinDhcp\Comref.exe	dcrat
behavioral1/memory/2796-18-0x0000000000DE0000-0x000000000118C000-memory.dmp	dcrat
behavioral1/memory/2744-75-0x00000000013C0000-0x000000000176C000-memory.dmp	dcrat
behavioral1/memory/1516-108-0x0000000000070000-0x000000000041C000-memory.dmp	dcrat
behavioral1/memory/876-120-0x0000000000FA0000-0x000000000134C000-memory.dmp	dcrat
behavioral1/memory/2228-145-0x0000000000370000-0x000000000071C000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion
Executes dropped EXE 8 IoCs

Processes:

Comref.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe

pid process

2796 Comref.exe
2744 winlogon.exe
1936 winlogon.exe
2772 winlogon.exe
1516 winlogon.exe
876 winlogon.exe
2328 winlogon.exe
2228 winlogon.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1604 cmd.exe
1604 cmd.exe

pid	process
1604	cmd.exe
1604	cmd.exe

Checks whether UAC is enabled 1 TTPs 16 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

winlogon.exewinlogon.exeComref.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Comref.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Comref.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Drops file in Program Files directory 12 IoCs

Processes:

Comref.exe

description	ioc	process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\cc11b995f2a76d	Comref.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\6203df4a6bafc7	Comref.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\lsass.exe	Comref.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\6203df4a6bafc7	Comref.exe
File created	C:\Program Files\Windows Media Player\de-DE\OSPPSVC.exe	Comref.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\c5b4cb5e9653cc	Comref.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe	Comref.exe
File created	C:\Program Files\Reference Assemblies\Idle.exe	Comref.exe
File created	C:\Program Files\Reference Assemblies\6ccacd8608530f	Comref.exe
File created	C:\Program Files\Windows Media Player\de-DE\1610b97d3ab4a7	Comref.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\services.exe	Comref.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\lsass.exe	Comref.exe

Drops file in Windows directory 2 IoCs

Processes:

Comref.exe

description ioc process

File created C:\Windows\Fonts\conhost.exe Comref.exe
File created C:\Windows\Fonts\088424020bedd6 Comref.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Fonts\conhost.exe	Comref.exe
File created	C:\Windows\Fonts\088424020bedd6	Comref.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

AimWare.exeWScript.exeWScript.execmd.exereg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AimWare.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2564 reg.exe

pid	process
2564	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
2420	schtasks.exe
3040	schtasks.exe
2124	schtasks.exe
344	schtasks.exe
1296	schtasks.exe
2360	schtasks.exe
1580	schtasks.exe
1616	schtasks.exe
1976	schtasks.exe
1064	schtasks.exe
1932	schtasks.exe
1152	schtasks.exe
2948	schtasks.exe
868	schtasks.exe
2776	schtasks.exe
2916	schtasks.exe
1044	schtasks.exe
2028	schtasks.exe
1680	schtasks.exe
2812	schtasks.exe
2580	schtasks.exe
3064	schtasks.exe
1768	schtasks.exe
2248	schtasks.exe
2180	schtasks.exe
2240	schtasks.exe
644	schtasks.exe
1692	schtasks.exe
2224	schtasks.exe
904	schtasks.exe
2200	schtasks.exe
2780	schtasks.exe
2136	schtasks.exe
2644	schtasks.exe
1136	schtasks.exe
688	schtasks.exe
2440	schtasks.exe
3052	schtasks.exe
2724	schtasks.exe
2880	schtasks.exe
1648	schtasks.exe
1716	schtasks.exe
448	schtasks.exe
872	schtasks.exe
944	schtasks.exe
2364	schtasks.exe
1876	schtasks.exe
1104	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Comref.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe

pid	process
2796	Comref.exe
2796	Comref.exe
2796	Comref.exe
2744	winlogon.exe
1936	winlogon.exe
2772	winlogon.exe
1516	winlogon.exe
876	winlogon.exe
2328	winlogon.exe
2228	winlogon.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

Comref.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe

description	pid	process
Token: SeDebugPrivilege	2796	Comref.exe
Token: SeDebugPrivilege	2744	winlogon.exe
Token: SeDebugPrivilege	1936	winlogon.exe
Token: SeDebugPrivilege	2772	winlogon.exe
Token: SeDebugPrivilege	1516	winlogon.exe
Token: SeDebugPrivilege	876	winlogon.exe
Token: SeDebugPrivilege	2328	winlogon.exe
Token: SeDebugPrivilege	2228	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AimWare.exeWScript.execmd.exeComref.exewinlogon.exeWScript.exewinlogon.exeWScript.exewinlogon.exeWScript.exewinlogon.exeWScript.exewinlogon.exe

description	pid	process	target process
PID 784 wrote to memory of 2516	784	AimWare.exe	WScript.exe
PID 784 wrote to memory of 2516	784	AimWare.exe	WScript.exe
PID 784 wrote to memory of 2516	784	AimWare.exe	WScript.exe
PID 784 wrote to memory of 2516	784	AimWare.exe	WScript.exe
PID 784 wrote to memory of 1820	784	AimWare.exe	WScript.exe
PID 784 wrote to memory of 1820	784	AimWare.exe	WScript.exe
PID 784 wrote to memory of 1820	784	AimWare.exe	WScript.exe
PID 784 wrote to memory of 1820	784	AimWare.exe	WScript.exe
PID 2516 wrote to memory of 1604	2516	WScript.exe	cmd.exe
PID 2516 wrote to memory of 1604	2516	WScript.exe	cmd.exe
PID 2516 wrote to memory of 1604	2516	WScript.exe	cmd.exe
PID 2516 wrote to memory of 1604	2516	WScript.exe	cmd.exe
PID 1604 wrote to memory of 2796	1604	cmd.exe	Comref.exe
PID 1604 wrote to memory of 2796	1604	cmd.exe	Comref.exe
PID 1604 wrote to memory of 2796	1604	cmd.exe	Comref.exe
PID 1604 wrote to memory of 2796	1604	cmd.exe	Comref.exe
PID 2796 wrote to memory of 2744	2796	Comref.exe	winlogon.exe
PID 2796 wrote to memory of 2744	2796	Comref.exe	winlogon.exe
PID 2796 wrote to memory of 2744	2796	Comref.exe	winlogon.exe
PID 1604 wrote to memory of 2564	1604	cmd.exe	reg.exe
PID 1604 wrote to memory of 2564	1604	cmd.exe	reg.exe
PID 1604 wrote to memory of 2564	1604	cmd.exe	reg.exe
PID 1604 wrote to memory of 2564	1604	cmd.exe	reg.exe
PID 2744 wrote to memory of 1624	2744	winlogon.exe	WScript.exe
PID 2744 wrote to memory of 1624	2744	winlogon.exe	WScript.exe
PID 2744 wrote to memory of 1624	2744	winlogon.exe	WScript.exe
PID 2744 wrote to memory of 2924	2744	winlogon.exe	WScript.exe
PID 2744 wrote to memory of 2924	2744	winlogon.exe	WScript.exe
PID 2744 wrote to memory of 2924	2744	winlogon.exe	WScript.exe
PID 1624 wrote to memory of 1936	1624	WScript.exe	winlogon.exe
PID 1624 wrote to memory of 1936	1624	WScript.exe	winlogon.exe
PID 1624 wrote to memory of 1936	1624	WScript.exe	winlogon.exe
PID 1936 wrote to memory of 1508	1936	winlogon.exe	WScript.exe
PID 1936 wrote to memory of 1508	1936	winlogon.exe	WScript.exe
PID 1936 wrote to memory of 1508	1936	winlogon.exe	WScript.exe
PID 1936 wrote to memory of 3000	1936	winlogon.exe	WScript.exe
PID 1936 wrote to memory of 3000	1936	winlogon.exe	WScript.exe
PID 1936 wrote to memory of 3000	1936	winlogon.exe	WScript.exe
PID 1508 wrote to memory of 2772	1508	WScript.exe	winlogon.exe
PID 1508 wrote to memory of 2772	1508	WScript.exe	winlogon.exe
PID 1508 wrote to memory of 2772	1508	WScript.exe	winlogon.exe
PID 2772 wrote to memory of 2896	2772	winlogon.exe	WScript.exe
PID 2772 wrote to memory of 2896	2772	winlogon.exe	WScript.exe
PID 2772 wrote to memory of 2896	2772	winlogon.exe	WScript.exe
PID 2772 wrote to memory of 2692	2772	winlogon.exe	WScript.exe
PID 2772 wrote to memory of 2692	2772	winlogon.exe	WScript.exe
PID 2772 wrote to memory of 2692	2772	winlogon.exe	WScript.exe
PID 2896 wrote to memory of 1516	2896	WScript.exe	winlogon.exe
PID 2896 wrote to memory of 1516	2896	WScript.exe	winlogon.exe
PID 2896 wrote to memory of 1516	2896	WScript.exe	winlogon.exe
PID 1516 wrote to memory of 2652	1516	winlogon.exe	WScript.exe
PID 1516 wrote to memory of 2652	1516	winlogon.exe	WScript.exe
PID 1516 wrote to memory of 2652	1516	winlogon.exe	WScript.exe
PID 1516 wrote to memory of 2488	1516	winlogon.exe	WScript.exe
PID 1516 wrote to memory of 2488	1516	winlogon.exe	WScript.exe
PID 1516 wrote to memory of 2488	1516	winlogon.exe	WScript.exe
PID 2652 wrote to memory of 876	2652	WScript.exe	winlogon.exe
PID 2652 wrote to memory of 876	2652	WScript.exe	winlogon.exe
PID 2652 wrote to memory of 876	2652	WScript.exe	winlogon.exe
PID 876 wrote to memory of 2712	876	winlogon.exe	WScript.exe
PID 876 wrote to memory of 2712	876	winlogon.exe	WScript.exe
PID 876 wrote to memory of 2712	876	winlogon.exe	WScript.exe
PID 876 wrote to memory of 2744	876	winlogon.exe	WScript.exe
PID 876 wrote to memory of 2744	876	winlogon.exe	WScript.exe

System policy modification 1 TTPs 24 IoCs

evasion

Modify Registry

T1112

Processes:

winlogon.exewinlogon.exewinlogon.exeComref.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\AimWare.exe
"C:\Users\Admin\AppData\Local\Temp\AimWare.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:784

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\BlockPortWinDhcp\pIqe6hsiC.vbe"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\BlockPortWinDhcp\RuejCowmnwM9YNHuglg.bat" "
3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1604

C:\BlockPortWinDhcp\Comref.exe
"C:\BlockPortWinDhcp\Comref.exe"
4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2796

C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe
"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe"
5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2744

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a60053d1-b566-4e04-b9df-6169c72360ef.vbs"
6⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe
7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1936

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d2b9fee-b87d-45f7-a554-5bb1f87f1b63.vbs"
8⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe
9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2772

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62192508-7c84-4a13-b9ba-b9f0d85ca6c1.vbs"
10⤵
- Suspicious use of WriteProcessMemory
PID:2896

C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe
11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1516

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f87f21ca-3917-4f01-a9af-ddb9b9beab48.vbs"
12⤵
- Suspicious use of WriteProcessMemory
PID:2652

C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe
13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:876

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\227b8351-01bc-4470-8679-0abee8109e9b.vbs"
14⤵
PID:2712

C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe
15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2328

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52af840a-cac6-40fc-83c8-e944c7a8b92f.vbs"
16⤵
PID:2060

C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe
17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2228

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20125697-7f42-48aa-b51b-eaf9621ded27.vbs"
18⤵
PID:1864

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\731865ec-74fa-4df4-9301-42ef6f9ba267.vbs"
18⤵
PID:1992

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a81e5b9-d4db-45d1-89a4-3ad66a27eed2.vbs"
16⤵
PID:2288

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44d5bc77-5cb1-4db2-93ad-89f8b4a3382d.vbs"
14⤵
PID:2744

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b9dacdc-128f-4317-bdf9-e7bc74de1086.vbs"
12⤵
PID:2488

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c949e01-a8a2-4fcf-9e81-7e43565b25bc.vbs"
10⤵
PID:2692

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59c21733-bc3f-4a21-b0a3-ef6f4fcdaf13.vbs"
8⤵
PID:3000

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96c37a80-6b55-4416-987f-77e13d5ba599.vbs"
6⤵
PID:2924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
4⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2564

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\BlockPortWinDhcp\file.vbs"
2⤵
- System Location Discovery: System Language Discovery
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Local Settings\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Local Settings\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wscript.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wscript.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 11 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wscript.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\en-US\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\en-US\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComrefC" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Comref.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Comref" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Comref.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComrefC" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Comref.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\de-DE\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\de-DE\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\de-DE\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\Fonts\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Fonts\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BlockPortWinDhcp\Comref.exe
Filesize
3.6MB

MD5
020fcee4acad7e7412ad0f27501ae749

SHA1
4282618cca56b75eb3921653c5daa2137eaa5ffa

SHA256
40ddad4ca2337022808328174ced0149caa955dcdf7a3b9eaf062818ffa43669

SHA512
e6c6749f7b8a67a5acc4910ccb59931582cb929392f7647f51d7d133cec3980375edc7d56be4d5cbac0f1d0ab1e46204b46b7349980aedaeb5a680a745fd7f9f

Download Submit
C:\BlockPortWinDhcp\RuejCowmnwM9YNHuglg.bat
Filesize
144B

MD5
ce3dd3c96548149537e6d3a679917a26

SHA1
0faba6346d98fe426902f01be3337bdb700bb4fa

SHA256
3d7dfa7a908d3eef1344c70e6ea39e14dba844fcc727fc6b2d4f07f488303c7c

SHA512
7326f45903c3eca92bc3de0ee50f13042f3f6cc6494da0273ba65a53308ba63b7607ac7f6b27dba20e649717781fc90254173ffd837fd7d98f21aa211f3af23d

Download Submit
C:\BlockPortWinDhcp\file.vbs
Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\BlockPortWinDhcp\pIqe6hsiC.vbe
Filesize
209B

MD5
fe9707d9d0f3a70f1672c83f8ab78cab

SHA1
4d25ca2d7b215e7757eec53b2c55060756cf3fc0

SHA256
e50eaf2ab143000660efab3e91bef57d2407c372820d022a10dac8c06e0c8e99

SHA512
fab4bbb58aa50e636fb553fc9d01fa69ad63fbdf7e7d677ed8b7b29838ed9525489d871af2e7c3b5b7e6afb34f79fb2ad7ef0897f4b8ad52d887c4ab096a84e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\20125697-7f42-48aa-b51b-eaf9621ded27.vbs
Filesize
737B

MD5
5c0384fee81120ab0cdab53bf2a2cfe6

SHA1
9910ad6aceba27d66654c6e1b2e3c583fa29a02c

SHA256
118a5cbbba91d61ea83bfaf31140e0cf91f0631e62f2652961e0edb89a2ab789

SHA512
ee2ca38bd7dc981d885d33715e2fc4991c151fadb03f2e75c6bc0a1636b155671ebc5a0684f14368cace6c72fa52e9b848ade3caf253a6c3f19d579e091907dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\227b8351-01bc-4470-8679-0abee8109e9b.vbs
Filesize
736B

MD5
55967a9be1b867d22cfdeda35ce92677

SHA1
ecb820a4ad0cc619dd74377ee6add5c984f8e78f

SHA256
7866873c25a25c8dc9a2a034c7aaddf133606902852250880dedef4c258cffcb

SHA512
01eb5a3785bb4b30e187e1e81b9d5fd4e779fbc405d726f676df4dfcfd71da55ce0ddb2ab4184f4b9677fb6cf4d80a4990a54664a741e3bc07a95e0c2202be0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3d2b9fee-b87d-45f7-a554-5bb1f87f1b63.vbs
Filesize
737B

MD5
54b5928eefd4ce50b182b1b7f3e38fe0

SHA1
f78146c0815991cf0183c723070085cc780d63f0

SHA256
2bad87d9f517206052c610c098d8b82c8b7f7e013f65a532097fdc731c56e6aa

SHA512
6b5e1a1a511774b50894846a92170461bd225b1c0cbc462b7a3d278349f72098d16ed1450df8a8d7cee12d0e5a2a07fafc0d20d562ac66f12178850767f91400

Download Submit
C:\Users\Admin\AppData\Local\Temp\52af840a-cac6-40fc-83c8-e944c7a8b92f.vbs
Filesize
737B

MD5
3544a808baf8bcd412c8006289ddcd66

SHA1
0ac7e88fcb55eb566283d91b1be904e7afce9ad8

SHA256
e2c7f1ff041e0ea281c7f793f56811471411a29e969b3a47bba2ee67b82f1d58

SHA512
2f6a64896495e189e3d984fb514e063acdc99dd740ce6f9467e274764cbfd81873a6e51d4c1b6a6234f7c6d3b7f1966d87aa1ce6b018864ed3ac1113af91d08c

Download Submit
C:\Users\Admin\AppData\Local\Temp\62192508-7c84-4a13-b9ba-b9f0d85ca6c1.vbs
Filesize
737B

MD5
04fabe6f569f915a19ffbdf280beb8a7

SHA1
60f4cffb8c4aa5c80b5ebbcd27110c989b4752b3

SHA256
fe1519bf5a0d474b9a60b1de8b46ea830b505744e6920fa68675c0f824b2989d

SHA512
a25cee69130cb7285b5fe1ecc7fc339807046da305a1cd91368a9528c85a4ac366d22a4801b6dfcd983216461384571ca2556d58f48b20bbca7706dbeb6cad78

Download Submit
C:\Users\Admin\AppData\Local\Temp\96c37a80-6b55-4416-987f-77e13d5ba599.vbs
Filesize
513B

MD5
5e00b58262f7a28798f2e0827127a50d

SHA1
714be7a1e0968b19ecb0fbab970e548c1b059fff

SHA256
7c7add196d97f6d093f4f16572c58d0e984b7922a260383a36d4670b16601bb1

SHA512
decc8a262cd7d619fe17141ee004c0639ca6098a0ef4c2f4c670178e736f9799414dcee53bf78abcaf561dffd570396a5ec432987100fc8a568e09c54a5dafed

Download Submit
C:\Users\Admin\AppData\Local\Temp\a60053d1-b566-4e04-b9df-6169c72360ef.vbs
Filesize
737B

MD5
e58bdbc0cd6037ff6e4bb23bb5993369

SHA1
31df90defc75ce8020d09ebeb1d5527ffc78f34c

SHA256
a3e7887abbb91341851cea056b27b31d3aea1e7376cbf88d55d4c7ecf362b25b

SHA512
5cfaecfdcda8ee3623d7194879fb3e5f6246c2de21b5d0aa3379f46a43681ec03e08c64f9f84bf56c04ad6ac2397fe330626ce93570e5b4b8541086ad99e7631

Download Submit
C:\Users\Admin\AppData\Local\Temp\f87f21ca-3917-4f01-a9af-ddb9b9beab48.vbs
Filesize
737B

MD5
0177331eca1b48fd5475eacac0fa8395

SHA1
dfd1c9aed2c3979b2d69abee2fce42183b2d0886

SHA256
3564c33169f2e0fff9b5c4ff06598ae42257c1d32c48e106e5509903f03c8589

SHA512
1451065156a5444c1434888bcedcbb0e9fbb0ad8a9dd6f7e87e3a6758cff0b782d6af69b5da3adca11896f8ac051dfb2720f9f407946b2f8327f2dfcbf21896c

Download Submit
memory/876-121-0x00000000003F0000-0x0000000000402000-memory.dmp

Filesize
72KB

Download
memory/876-120-0x0000000000FA0000-0x000000000134C000-memory.dmp

Filesize
3.7MB

Download
memory/1516-108-0x0000000000070000-0x000000000041C000-memory.dmp

Filesize
3.7MB

Download
memory/2228-145-0x0000000000370000-0x000000000071C000-memory.dmp

Filesize
3.7MB

Download
memory/2328-133-0x00000000004E0000-0x00000000004F2000-memory.dmp

Filesize
72KB

Download
memory/2744-75-0x00000000013C0000-0x000000000176C000-memory.dmp

Filesize
3.7MB

Download
memory/2796-23-0x0000000000C50000-0x0000000000C5A000-memory.dmp

Filesize
40KB

Download
memory/2796-28-0x000000001AA60000-0x000000001AA68000-memory.dmp

Filesize
32KB

Download
memory/2796-34-0x000000001AFC0000-0x000000001AFC8000-memory.dmp

Filesize
32KB

Download
memory/2796-35-0x000000001AFE0000-0x000000001AFEA000-memory.dmp

Filesize
40KB

Download
memory/2796-36-0x000000001AFF0000-0x000000001AFFC000-memory.dmp

Filesize
48KB

Download
memory/2796-32-0x000000001AFA0000-0x000000001AFA8000-memory.dmp

Filesize
32KB

Download
memory/2796-31-0x000000001AAE0000-0x000000001AAEE000-memory.dmp

Filesize
56KB

Download
memory/2796-30-0x000000001AAD0000-0x000000001AADA000-memory.dmp

Filesize
40KB

Download
memory/2796-29-0x000000001AAC0000-0x000000001AAC8000-memory.dmp

Filesize
32KB

Download
memory/2796-33-0x000000001AFB0000-0x000000001AFBE000-memory.dmp

Filesize
56KB

Download
memory/2796-27-0x000000001AA50000-0x000000001AA58000-memory.dmp

Filesize
32KB

Download
memory/2796-26-0x000000001AA20000-0x000000001AA32000-memory.dmp

Filesize
72KB

Download
memory/2796-25-0x0000000000DD0000-0x0000000000DDC000-memory.dmp

Filesize
48KB

Download
memory/2796-24-0x0000000000D80000-0x0000000000DD6000-memory.dmp

Filesize
344KB

Download
memory/2796-22-0x0000000000D60000-0x0000000000D76000-memory.dmp

Filesize
88KB

Download
memory/2796-21-0x00000000003E0000-0x00000000003E8000-memory.dmp

Filesize
32KB

Download
memory/2796-20-0x0000000000470000-0x000000000048C000-memory.dmp

Filesize
112KB

Download
memory/2796-19-0x00000000003D0000-0x00000000003DE000-memory.dmp

Filesize
56KB

Download
memory/2796-18-0x0000000000DE0000-0x000000000118C000-memory.dmp

Filesize
3.7MB

Download