dcrat | 43f8b28bff64dc200d51657f0f0aafd27125f9489e7c06fc109a22e58eadebc3

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-09-2024 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

443110dabe7095bf8afe27bf3dc27f60N.exe
Size

4.9MB
MD5

443110dabe7095bf8afe27bf3dc27f60
SHA1

03554dc5583fd4d38124bf4f65405faadf61543e
SHA256

43f8b28bff64dc200d51657f0f0aafd27125f9489e7c06fc109a22e58eadebc3
SHA512

aca75451bf62ffa71190bcac77606c1dae1edf9813ded3443c2a5f6535a71ee2809bbf3889e31b40cc9dcccf85675e67be9103329e6e7566b157f2b004da5070
SSDEEP

49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2740	schtasks.exe

UAC bypass 3 TTPs 27 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

443110dabe7095bf8afe27bf3dc27f60N.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	443110dabe7095bf8afe27bf3dc27f60N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	443110dabe7095bf8afe27bf3dc27f60N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	443110dabe7095bf8afe27bf3dc27f60N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/984-3-0x000000001B520000-0x000000001B64E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2904	powershell.exe
2784	powershell.exe
2848	powershell.exe
1968	powershell.exe
2824	powershell.exe
2628	powershell.exe
1392	powershell.exe
1384	powershell.exe
2928	powershell.exe
2844	powershell.exe
2328	powershell.exe
2896	powershell.exe

Executes dropped EXE 8 IoCs

Processes:

sppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

pid process

2240 sppsvc.exe
2440 sppsvc.exe
2812 sppsvc.exe
2128 sppsvc.exe
2352 sppsvc.exe
3036 sppsvc.exe
1312 sppsvc.exe
2036 sppsvc.exe

pid	process
2240	sppsvc.exe
2440	sppsvc.exe
2812	sppsvc.exe
2128	sppsvc.exe
2352	sppsvc.exe
3036	sppsvc.exe
1312	sppsvc.exe
2036	sppsvc.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

sppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe443110dabe7095bf8afe27bf3dc27f60N.exesppsvc.exesppsvc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	443110dabe7095bf8afe27bf3dc27f60N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	443110dabe7095bf8afe27bf3dc27f60N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe

Drops file in Program Files directory 8 IoCs

Processes:

443110dabe7095bf8afe27bf3dc27f60N.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows NT\Accessories\it-IT\RCX2E44.tmp	443110dabe7095bf8afe27bf3dc27f60N.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\it-IT\System.exe	443110dabe7095bf8afe27bf3dc27f60N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCX32B9.tmp	443110dabe7095bf8afe27bf3dc27f60N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe	443110dabe7095bf8afe27bf3dc27f60N.exe
File created	C:\Program Files\Windows NT\Accessories\it-IT\System.exe	443110dabe7095bf8afe27bf3dc27f60N.exe
File created	C:\Program Files\Windows NT\Accessories\it-IT\27d1bcfc3c54e0	443110dabe7095bf8afe27bf3dc27f60N.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe	443110dabe7095bf8afe27bf3dc27f60N.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\0a1fd5f707cd16	443110dabe7095bf8afe27bf3dc27f60N.exe

Drops file in Windows directory 8 IoCs

Processes:

443110dabe7095bf8afe27bf3dc27f60N.exe

description	ioc	process
File created	C:\Windows\addins\6ccacd8608530f	443110dabe7095bf8afe27bf3dc27f60N.exe
File opened for modification	C:\Windows\inf\de-DE\RCX3086.tmp	443110dabe7095bf8afe27bf3dc27f60N.exe
File opened for modification	C:\Windows\inf\de-DE\wininit.exe	443110dabe7095bf8afe27bf3dc27f60N.exe
File opened for modification	C:\Windows\addins\RCX34DC.tmp	443110dabe7095bf8afe27bf3dc27f60N.exe
File opened for modification	C:\Windows\addins\Idle.exe	443110dabe7095bf8afe27bf3dc27f60N.exe
File created	C:\Windows\inf\de-DE\wininit.exe	443110dabe7095bf8afe27bf3dc27f60N.exe
File created	C:\Windows\inf\de-DE\56085415360792	443110dabe7095bf8afe27bf3dc27f60N.exe
File created	C:\Windows\addins\Idle.exe	443110dabe7095bf8afe27bf3dc27f60N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2040	schtasks.exe
2652	schtasks.exe
2552	schtasks.exe
3044	schtasks.exe
2172	schtasks.exe
1792	schtasks.exe
2112	schtasks.exe
2916	schtasks.exe
2180	schtasks.exe
3056	schtasks.exe
2736	schtasks.exe
2960	schtasks.exe
1992	schtasks.exe
2920	schtasks.exe
2584	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

443110dabe7095bf8afe27bf3dc27f60N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

pid	process
984	443110dabe7095bf8afe27bf3dc27f60N.exe
1392	powershell.exe
2848	powershell.exe
2824	powershell.exe
2784	powershell.exe
2896	powershell.exe
2904	powershell.exe
1968	powershell.exe
1384	powershell.exe
2844	powershell.exe
2928	powershell.exe
2328	powershell.exe
2628	powershell.exe
2240	sppsvc.exe
2440	sppsvc.exe
2812	sppsvc.exe
2128	sppsvc.exe
2352	sppsvc.exe
3036	sppsvc.exe
1312	sppsvc.exe
2036	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	984	443110dabe7095bf8afe27bf3dc27f60N.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	1384	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2240	sppsvc.exe
Token: SeDebugPrivilege	2440	sppsvc.exe
Token: SeDebugPrivilege	2812	sppsvc.exe
Token: SeDebugPrivilege	2128	sppsvc.exe
Token: SeDebugPrivilege	2352	sppsvc.exe
Token: SeDebugPrivilege	3036	sppsvc.exe
Token: SeDebugPrivilege	1312	sppsvc.exe
Token: SeDebugPrivilege	2036	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

443110dabe7095bf8afe27bf3dc27f60N.exesppsvc.exeWScript.exesppsvc.exeWScript.exesppsvc.exe

description	pid	process	target process
PID 984 wrote to memory of 1392	984	443110dabe7095bf8afe27bf3dc27f60N.exe	powershell.exe
PID 984 wrote to memory of 1392	984	443110dabe7095bf8afe27bf3dc27f60N.exe	powershell.exe
PID 984 wrote to memory of 1392	984	443110dabe7095bf8afe27bf3dc27f60N.exe	powershell.exe
PID 984 wrote to memory of 1384	984	443110dabe7095bf8afe27bf3dc27f60N.exe	powershell.exe
PID 984 wrote to memory of 1384	984	443110dabe7095bf8afe27bf3dc27f60N.exe	powershell.exe
PID 984 wrote to memory of 1384	984	443110dabe7095bf8afe27bf3dc27f60N.exe	powershell.exe
PID 984 wrote to memory of 2904	984	443110dabe7095bf8afe27bf3dc27f60N.exe	powershell.exe
PID 984 wrote to memory of 2904	984	443110dabe7095bf8afe27bf3dc27f60N.exe	powershell.exe
PID 984 wrote to memory of 2904	984	443110dabe7095bf8afe27bf3dc27f60N.exe	powershell.exe
PID 984 wrote to memory of 2784	984	443110dabe7095bf8afe27bf3dc27f60N.exe	powershell.exe
PID 984 wrote to memory of 2784	984	443110dabe7095bf8afe27bf3dc27f60N.exe	powershell.exe
PID 984 wrote to memory of 2784	984	443110dabe7095bf8afe27bf3dc27f60N.exe	powershell.exe
PID 984 wrote to memory of 2896	984	443110dabe7095bf8afe27bf3dc27f60N.exe	powershell.exe
PID 984 wrote to memory of 2896	984	443110dabe7095bf8afe27bf3dc27f60N.exe	powershell.exe
PID 984 wrote to memory of 2896	984	443110dabe7095bf8afe27bf3dc27f60N.exe	powershell.exe
PID 984 wrote to memory of 2928	984	443110dabe7095bf8afe27bf3dc27f60N.exe	powershell.exe
PID 984 wrote to memory of 2928	984	443110dabe7095bf8afe27bf3dc27f60N.exe	powershell.exe
PID 984 wrote to memory of 2928	984	443110dabe7095bf8afe27bf3dc27f60N.exe	powershell.exe
PID 984 wrote to memory of 2844	984	443110dabe7095bf8afe27bf3dc27f60N.exe	powershell.exe
PID 984 wrote to memory of 2844	984	443110dabe7095bf8afe27bf3dc27f60N.exe	powershell.exe
PID 984 wrote to memory of 2844	984	443110dabe7095bf8afe27bf3dc27f60N.exe	powershell.exe
PID 984 wrote to memory of 2328	984	443110dabe7095bf8afe27bf3dc27f60N.exe	powershell.exe
PID 984 wrote to memory of 2328	984	443110dabe7095bf8afe27bf3dc27f60N.exe	powershell.exe
PID 984 wrote to memory of 2328	984	443110dabe7095bf8afe27bf3dc27f60N.exe	powershell.exe
PID 984 wrote to memory of 2628	984	443110dabe7095bf8afe27bf3dc27f60N.exe	powershell.exe
PID 984 wrote to memory of 2628	984	443110dabe7095bf8afe27bf3dc27f60N.exe	powershell.exe
PID 984 wrote to memory of 2628	984	443110dabe7095bf8afe27bf3dc27f60N.exe	powershell.exe
PID 984 wrote to memory of 2848	984	443110dabe7095bf8afe27bf3dc27f60N.exe	powershell.exe
PID 984 wrote to memory of 2848	984	443110dabe7095bf8afe27bf3dc27f60N.exe	powershell.exe
PID 984 wrote to memory of 2848	984	443110dabe7095bf8afe27bf3dc27f60N.exe	powershell.exe
PID 984 wrote to memory of 2824	984	443110dabe7095bf8afe27bf3dc27f60N.exe	powershell.exe
PID 984 wrote to memory of 2824	984	443110dabe7095bf8afe27bf3dc27f60N.exe	powershell.exe
PID 984 wrote to memory of 2824	984	443110dabe7095bf8afe27bf3dc27f60N.exe	powershell.exe
PID 984 wrote to memory of 1968	984	443110dabe7095bf8afe27bf3dc27f60N.exe	powershell.exe
PID 984 wrote to memory of 1968	984	443110dabe7095bf8afe27bf3dc27f60N.exe	powershell.exe
PID 984 wrote to memory of 1968	984	443110dabe7095bf8afe27bf3dc27f60N.exe	powershell.exe
PID 984 wrote to memory of 2240	984	443110dabe7095bf8afe27bf3dc27f60N.exe	sppsvc.exe
PID 984 wrote to memory of 2240	984	443110dabe7095bf8afe27bf3dc27f60N.exe	sppsvc.exe
PID 984 wrote to memory of 2240	984	443110dabe7095bf8afe27bf3dc27f60N.exe	sppsvc.exe
PID 984 wrote to memory of 2240	984	443110dabe7095bf8afe27bf3dc27f60N.exe	sppsvc.exe
PID 984 wrote to memory of 2240	984	443110dabe7095bf8afe27bf3dc27f60N.exe	sppsvc.exe
PID 2240 wrote to memory of 2600	2240	sppsvc.exe	WScript.exe
PID 2240 wrote to memory of 2600	2240	sppsvc.exe	WScript.exe
PID 2240 wrote to memory of 2600	2240	sppsvc.exe	WScript.exe
PID 2240 wrote to memory of 2920	2240	sppsvc.exe	WScript.exe
PID 2240 wrote to memory of 2920	2240	sppsvc.exe	WScript.exe
PID 2240 wrote to memory of 2920	2240	sppsvc.exe	WScript.exe
PID 2600 wrote to memory of 2440	2600	WScript.exe	sppsvc.exe
PID 2600 wrote to memory of 2440	2600	WScript.exe	sppsvc.exe
PID 2600 wrote to memory of 2440	2600	WScript.exe	sppsvc.exe
PID 2600 wrote to memory of 2440	2600	WScript.exe	sppsvc.exe
PID 2600 wrote to memory of 2440	2600	WScript.exe	sppsvc.exe
PID 2440 wrote to memory of 960	2440	sppsvc.exe	WScript.exe
PID 2440 wrote to memory of 960	2440	sppsvc.exe	WScript.exe
PID 2440 wrote to memory of 960	2440	sppsvc.exe	WScript.exe
PID 2440 wrote to memory of 2232	2440	sppsvc.exe	WScript.exe
PID 2440 wrote to memory of 2232	2440	sppsvc.exe	WScript.exe
PID 2440 wrote to memory of 2232	2440	sppsvc.exe	WScript.exe
PID 960 wrote to memory of 2812	960	WScript.exe	sppsvc.exe
PID 960 wrote to memory of 2812	960	WScript.exe	sppsvc.exe
PID 960 wrote to memory of 2812	960	WScript.exe	sppsvc.exe
PID 960 wrote to memory of 2812	960	WScript.exe	sppsvc.exe
PID 960 wrote to memory of 2812	960	WScript.exe	sppsvc.exe
PID 2812 wrote to memory of 1548	2812	sppsvc.exe	WScript.exe

System policy modification 1 TTPs 27 IoCs

evasion

Modify Registry

T1112

Processes:

443110dabe7095bf8afe27bf3dc27f60N.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	443110dabe7095bf8afe27bf3dc27f60N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	443110dabe7095bf8afe27bf3dc27f60N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	443110dabe7095bf8afe27bf3dc27f60N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\443110dabe7095bf8afe27bf3dc27f60N.exe
"C:\Users\Admin\AppData\Local\Temp\443110dabe7095bf8afe27bf3dc27f60N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe
"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe"
2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2240

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60e7b06c-4491-447c-95fc-4642800edf96.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:2600

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe
"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe"
4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2440

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\408377c1-5825-4ba0-9728-7e4027fb671d.vbs"
5⤵
- Suspicious use of WriteProcessMemory
PID:960

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe
"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe"
6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2812

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce713ec0-df60-4489-95b6-133fa1605fda.vbs"
7⤵
PID:1548

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe
"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe"
8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2128

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d186c95-dab6-462b-a343-6bf3e34954de.vbs"
9⤵
PID:2504

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe
"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe"
10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2352

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbaa5748-3db0-4a30-bcde-c67e4e75adb2.vbs"
11⤵
PID:956

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe
"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe"
12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3036

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a7215af-a79d-40d2-b64a-060e0ca00bed.vbs"
13⤵
PID:2912

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe
"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe"
14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1312

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3800567-4f92-4cbd-9314-304dd32b4d7f.vbs"
15⤵
PID:1652

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe
"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe"
16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2036

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fd36744-a89a-4469-88d3-c415ea69f36f.vbs"
15⤵
PID:2820

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52838bf6-1ee6-483e-a374-9767d97fbbbf.vbs"
13⤵
PID:1212

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76f92ac8-3513-481f-95ec-70fe6cd96871.vbs"
11⤵
PID:2652

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\949a8410-26dc-47ed-a959-43208b1901bf.vbs"
9⤵
PID:2900

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\062a8ecd-5f3a-4c74-94df-6e37404e47dd.vbs"
7⤵
PID:1748

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf365e92-5dd8-4438-a9f5-1ff20ef8dfc4.vbs"
5⤵
PID:2232

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc671ec6-f7f3-48fd-909b-90343576f257.vbs"
3⤵
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\it-IT\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\it-IT\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\it-IT\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\inf\de-DE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\inf\de-DE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\inf\de-DE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\addins\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\addins\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\addins\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\408377c1-5825-4ba0-9728-7e4027fb671d.vbs

Filesize
757B

MD5
b6079aa4b6c443f0ff5be6d4570d8055

SHA1
9492c01488898788c13cd9aa089e4b2be0b2a800

SHA256
3725b43e41d6102f07370713c666f9c9ddf7a66b6da17126356de6a9596b4cae

SHA512
4ee768d54285a38914cf016c86bb4c898806b1350b04bab478772b3ca057a3788ceb84455d274d22d5fb703336111c194575404a5265dc4946f707f4573ddb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\60e7b06c-4491-447c-95fc-4642800edf96.vbs

Filesize
757B

MD5
cef39c1d5468d02a883a32593f5b197d

SHA1
95fd45a3eedc6d54d0ba844c2aa0f397697e2ff7

SHA256
dfbe1426b8905e758642b6f04471ed19ba7f419ce942b6f9c188ba77cfc87c12

SHA512
b1a5b4be1d22286734094864ebfec87ce23679c3fe745e40edbc2aa1ea4fb90d56a9b3d3bdb85cda4905b09101af926ba4bf2862e4acb162f73f5b173964a3a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7a7215af-a79d-40d2-b64a-060e0ca00bed.vbs

Filesize
757B

MD5
b96709700623c578aab2bc9bc8935dd4

SHA1
635aab0315ecb88ac6a123624dcc4be3c0c83bc4

SHA256
178da982fffd62877ae99b6b8f62f19b411e5e7302ddc0799d61482f8d16cac7

SHA512
10fddea6cacf4c689606a3cb0b420e410dc9f73568b45a9324423397430a8ffbf23e1184c8f9f31440b125637f19b328f10af8b55ca08be2606a3079694bd362

Download Submit
C:\Users\Admin\AppData\Local\Temp\8d186c95-dab6-462b-a343-6bf3e34954de.vbs

Filesize
757B

MD5
4e42afed0549f75bc518e67b978902cf

SHA1
2bd2c51098faacabbcf02199d4234305a2537a42

SHA256
f8b3bcdde3e006191f26e3f3c8c0de0304aa1d6e5a7ad2b385cbf6f71b95861b

SHA512
146b652894dbe1be32ca919c504bf0fba0771efe9e051f6ac3e0508142b6418b2e6c7212cc941a06f1d8c666d1a8f01db90c74da0597210bded3f2ecbd36c1d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbaa5748-3db0-4a30-bcde-c67e4e75adb2.vbs

Filesize
757B

MD5
5177c5ac3538c60ec648eb9fdb26c702

SHA1
ff2e398a185aa56aa465b0e931332ececc8d7f39

SHA256
f0be22edca38315083c63e6240b104d4bc508f24d2ee021ee8bb3680896aae4d

SHA512
9c2ad7ae035364079c3a7ae07774d5e61b815abb13a6f8d85c8aa23c6f3e9d920bcded952fb8e9f38329d98c8c0b1b0a5c3935b5f757b715c55ffd3f81e2359d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce713ec0-df60-4489-95b6-133fa1605fda.vbs

Filesize
757B

MD5
59df3ec037fb7e7467cc21035bc0ddef

SHA1
382e4a3067a15f8bf99c08baf70e2a32e458c3f1

SHA256
8d5146ef4f07f7ca1ec7651dac2ca2f9b10733fbf14b9e0da586c5b11beacb52

SHA512
3e6ee4d77ab16a758b848f35939b098f24f45e855af40fe12f9c1280c6b7e7a60c65130f95b4fe842707732646ff32971a49e6fa22e5877d73bafd54ab2e1211

Download Submit
C:\Users\Admin\AppData\Local\Temp\dc671ec6-f7f3-48fd-909b-90343576f257.vbs

Filesize
533B

MD5
d65317641551435f11a36ba706e2c240

SHA1
a82e8fc672b9aa04a1c5c08b0ecaa63fefcb4381

SHA256
de2116f96ef9e6982603d4f941a8a029fbaa8f9cf603da1ad35cbc6bad9100c9

SHA512
7f45bd6fc934fcdefc28c04c48707c5caf0516c42d9bff35be205aa71f84f5a7f54c4fde0a977f05b244f0820c5d5d353b10859b054767a22f02880d245f67d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3800567-4f92-4cbd-9314-304dd32b4d7f.vbs

Filesize
757B

MD5
a5b965a17481e0c548737a31df732075

SHA1
f830acd9b61eccfbe047be31887e194d35acca2c

SHA256
61672ba0638d966308514741e32715b903421c24fde40a0189a432612ec01633

SHA512
1383b0f8f7ba6f02a8c8410d0bf5bf4cd06d145479570adf73701162af002d27a102a58ed99c2812cddba129f1237ad5ff6d7c40ab19cfcf9c1eac1846db4225

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4BA1.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
45e8b99a3c656da3c51783d9bed6b343

SHA1
6f3c70f2cd96b93ea353223a4aeef080da0c7743

SHA256
307ca468d1edb57beb6853360b8048e69b21eaf539a98a3d81ec0b92af6cb294

SHA512
db8059ea54dc0ffb73b86c440d4a930db24692f0bbdf260d6668b91316593c1807261e9f31d4ea3dec9d1560603bb7eaab0742ddd24ca8780ce02a32298cedcd

Download Submit
C:\Windows\addins\Idle.exe

Filesize
4.9MB

MD5
443110dabe7095bf8afe27bf3dc27f60

SHA1
03554dc5583fd4d38124bf4f65405faadf61543e

SHA256
43f8b28bff64dc200d51657f0f0aafd27125f9489e7c06fc109a22e58eadebc3

SHA512
aca75451bf62ffa71190bcac77606c1dae1edf9813ded3443c2a5f6535a71ee2809bbf3889e31b40cc9dcccf85675e67be9103329e6e7566b157f2b004da5070

Download Submit
memory/984-106-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/984-0-0x000007FEF5DC3000-0x000007FEF5DC4000-memory.dmp

Filesize
4KB

Download
memory/984-13-0x0000000000E60000-0x0000000000E6E000-memory.dmp

Filesize
56KB

Download
memory/984-16-0x0000000000E90000-0x0000000000E9C000-memory.dmp

Filesize
48KB

Download
memory/984-15-0x0000000000E80000-0x0000000000E88000-memory.dmp

Filesize
32KB

Download
memory/984-14-0x0000000000E70000-0x0000000000E78000-memory.dmp

Filesize
32KB

Download
memory/984-11-0x0000000000E40000-0x0000000000E4A000-memory.dmp

Filesize
40KB

Download
memory/984-10-0x0000000000E30000-0x0000000000E42000-memory.dmp

Filesize
72KB

Download
memory/984-12-0x0000000000E50000-0x0000000000E5E000-memory.dmp

Filesize
56KB

Download
memory/984-5-0x0000000000620000-0x0000000000628000-memory.dmp

Filesize
32KB

Download
memory/984-1-0x0000000001080000-0x0000000001574000-memory.dmp

Filesize
5.0MB

Download
memory/984-4-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/984-9-0x0000000000E20000-0x0000000000E2A000-memory.dmp

Filesize
40KB

Download
memory/984-8-0x0000000000D10000-0x0000000000D20000-memory.dmp

Filesize
64KB

Download
memory/984-7-0x00000000006C0000-0x00000000006D6000-memory.dmp

Filesize
88KB

Download
memory/984-2-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/984-3-0x000000001B520000-0x000000001B64E000-memory.dmp

Filesize
1.2MB

Download
memory/984-6-0x0000000000630000-0x0000000000640000-memory.dmp

Filesize
64KB

Download
memory/1312-207-0x0000000000FC0000-0x00000000014B4000-memory.dmp

Filesize
5.0MB

Download
memory/1392-91-0x0000000002590000-0x0000000002598000-memory.dmp

Filesize
32KB

Download
memory/2036-222-0x0000000000BD0000-0x0000000000BE2000-memory.dmp

Filesize
72KB

Download
memory/2128-162-0x00000000002D0000-0x00000000007C4000-memory.dmp

Filesize
5.0MB

Download
memory/2240-81-0x0000000000AC0000-0x0000000000FB4000-memory.dmp

Filesize
5.0MB

Download
memory/2352-177-0x0000000000310000-0x0000000000804000-memory.dmp

Filesize
5.0MB

Download
memory/2440-131-0x00000000008D0000-0x00000000008E2000-memory.dmp

Filesize
72KB

Download
memory/2440-130-0x0000000001270000-0x0000000001764000-memory.dmp

Filesize
5.0MB

Download
memory/2812-147-0x0000000000C10000-0x0000000000C22000-memory.dmp

Filesize
72KB

Download
memory/2812-146-0x0000000001390000-0x0000000001884000-memory.dmp

Filesize
5.0MB

Download
memory/2848-82-0x000000001B1C0000-0x000000001B4A2000-memory.dmp

Filesize
2.9MB

Download
memory/3036-192-0x0000000000810000-0x0000000000D04000-memory.dmp

Filesize
5.0MB

Download