dcrat | 9636a592ea745fc8173b9ec8527f94fc8733ca1157837009ead6ed97293e2d5e

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-09-2024 17:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a51d27aaaa0bb67872d99147bae13d0N.exe
Size

4.9MB
MD5

4a51d27aaaa0bb67872d99147bae13d0
SHA1

a2b4c8f679911bc03a14e4f9be242ef9b0e4d97d
SHA256

9636a592ea745fc8173b9ec8527f94fc8733ca1157837009ead6ed97293e2d5e
SHA512

e208fb10b57ff8dcec352887ac8221bf348af5dbdae73ab1cd6885edbce26a2e81d96bf6f89bd5e482e30c2016fb73172eb714e3f77bebfe43bbd98bed381b6d
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2876	schtasks.exe	30

UAC bypass 3 TTPs 24 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

lsm.exelsm.exelsm.exe4a51d27aaaa0bb67872d99147bae13d0N.exelsm.exelsm.exelsm.exelsm.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4a51d27aaaa0bb67872d99147bae13d0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4a51d27aaaa0bb67872d99147bae13d0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4a51d27aaaa0bb67872d99147bae13d0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2140-2-0x000000001B160000-0x000000001B28E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
276	powershell.exe
2388	powershell.exe
1732	powershell.exe
1836	powershell.exe
2488	powershell.exe
2308	powershell.exe
2496	powershell.exe
1168	powershell.exe
1124	powershell.exe
2664	powershell.exe
2452	powershell.exe
1716	powershell.exe

Executes dropped EXE 7 IoCs

Processes:

lsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exe

pid	Process
1684	lsm.exe
2376	lsm.exe
2448	lsm.exe
2848	lsm.exe
2656	lsm.exe
1844	lsm.exe
2644	lsm.exe

Checks whether UAC is enabled 1 TTPs 16 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

lsm.exelsm.exelsm.exelsm.exelsm.exe4a51d27aaaa0bb67872d99147bae13d0N.exelsm.exelsm.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4a51d27aaaa0bb67872d99147bae13d0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4a51d27aaaa0bb67872d99147bae13d0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe

Drops file in Program Files directory 16 IoCs

Processes:

4a51d27aaaa0bb67872d99147bae13d0N.exe

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\Idle.exe	4a51d27aaaa0bb67872d99147bae13d0N.exe
File created	C:\Program Files\Google\Chrome\69ddcba757bf72	4a51d27aaaa0bb67872d99147bae13d0N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\RCX8E20.tmp	4a51d27aaaa0bb67872d99147bae13d0N.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\it-IT\RCX9053.tmp	4a51d27aaaa0bb67872d99147bae13d0N.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\it-IT\4a51d27aaaa0bb67872d99147bae13d0N.exe	4a51d27aaaa0bb67872d99147bae13d0N.exe
File created	C:\Program Files\Microsoft Games\Chess\it-IT\19cae79e7dabbe	4a51d27aaaa0bb67872d99147bae13d0N.exe
File created	C:\Program Files\Google\Chrome\smss.exe	4a51d27aaaa0bb67872d99147bae13d0N.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\6ccacd8608530f	4a51d27aaaa0bb67872d99147bae13d0N.exe
File created	C:\Program Files\Microsoft Games\Chess\it-IT\4a51d27aaaa0bb67872d99147bae13d0N.exe	4a51d27aaaa0bb67872d99147bae13d0N.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\dwm.exe	4a51d27aaaa0bb67872d99147bae13d0N.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\6cb0b6c459d5d3	4a51d27aaaa0bb67872d99147bae13d0N.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\dwm.exe	4a51d27aaaa0bb67872d99147bae13d0N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\Idle.exe	4a51d27aaaa0bb67872d99147bae13d0N.exe
File opened for modification	C:\Program Files\Google\Chrome\RCX9564.tmp	4a51d27aaaa0bb67872d99147bae13d0N.exe
File opened for modification	C:\Program Files\Google\Chrome\smss.exe	4a51d27aaaa0bb67872d99147bae13d0N.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\RCX99C9.tmp	4a51d27aaaa0bb67872d99147bae13d0N.exe

Drops file in Windows directory 4 IoCs

Processes:

4a51d27aaaa0bb67872d99147bae13d0N.exe

description	ioc	Process
File created	C:\Windows\debug\lsm.exe	4a51d27aaaa0bb67872d99147bae13d0N.exe
File opened for modification	C:\Windows\debug\lsm.exe	4a51d27aaaa0bb67872d99147bae13d0N.exe
File created	C:\Windows\debug\101b941d020240	4a51d27aaaa0bb67872d99147bae13d0N.exe
File opened for modification	C:\Windows\debug\RCX897D.tmp	4a51d27aaaa0bb67872d99147bae13d0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2024	schtasks.exe
1964	schtasks.exe
1952	schtasks.exe
1156	schtasks.exe
2700	schtasks.exe
2288	schtasks.exe
3000	schtasks.exe
2752	schtasks.exe
2148	schtasks.exe
2312	schtasks.exe
1044	schtasks.exe
2788	schtasks.exe
3020	schtasks.exe
2768	schtasks.exe
3048	schtasks.exe
2592	schtasks.exe
2304	schtasks.exe
2980	schtasks.exe
2052	schtasks.exe
1728	schtasks.exe
2896	schtasks.exe
2104	schtasks.exe
2880	schtasks.exe
1304	schtasks.exe
2524	schtasks.exe
1844	schtasks.exe
2176	schtasks.exe
264	schtasks.exe
1316	schtasks.exe
1520	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

4a51d27aaaa0bb67872d99147bae13d0N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exe

pid	Process
2140	4a51d27aaaa0bb67872d99147bae13d0N.exe
2140	4a51d27aaaa0bb67872d99147bae13d0N.exe
2140	4a51d27aaaa0bb67872d99147bae13d0N.exe
2496	powershell.exe
2308	powershell.exe
2452	powershell.exe
1716	powershell.exe
276	powershell.exe
1124	powershell.exe
1836	powershell.exe
2388	powershell.exe
1732	powershell.exe
2664	powershell.exe
1168	powershell.exe
2488	powershell.exe
1684	lsm.exe
2376	lsm.exe
2448	lsm.exe
2848	lsm.exe
2656	lsm.exe
1844	lsm.exe
2644	lsm.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	2140	4a51d27aaaa0bb67872d99147bae13d0N.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	276	powershell.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	1836	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	1168	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	1684	lsm.exe
Token: SeDebugPrivilege	2376	lsm.exe
Token: SeDebugPrivilege	2448	lsm.exe
Token: SeDebugPrivilege	2848	lsm.exe
Token: SeDebugPrivilege	2656	lsm.exe
Token: SeDebugPrivilege	1844	lsm.exe
Token: SeDebugPrivilege	2644	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4a51d27aaaa0bb67872d99147bae13d0N.execmd.exelsm.exeWScript.exelsm.exeWScript.exelsm.exe

description	pid	Process	procid_target
PID 2140 wrote to memory of 276	2140	4a51d27aaaa0bb67872d99147bae13d0N.exe	61
PID 2140 wrote to memory of 276	2140	4a51d27aaaa0bb67872d99147bae13d0N.exe	61
PID 2140 wrote to memory of 276	2140	4a51d27aaaa0bb67872d99147bae13d0N.exe	61
PID 2140 wrote to memory of 2496	2140	4a51d27aaaa0bb67872d99147bae13d0N.exe	62
PID 2140 wrote to memory of 2496	2140	4a51d27aaaa0bb67872d99147bae13d0N.exe	62
PID 2140 wrote to memory of 2496	2140	4a51d27aaaa0bb67872d99147bae13d0N.exe	62
PID 2140 wrote to memory of 2488	2140	4a51d27aaaa0bb67872d99147bae13d0N.exe	63
PID 2140 wrote to memory of 2488	2140	4a51d27aaaa0bb67872d99147bae13d0N.exe	63
PID 2140 wrote to memory of 2488	2140	4a51d27aaaa0bb67872d99147bae13d0N.exe	63
PID 2140 wrote to memory of 1168	2140	4a51d27aaaa0bb67872d99147bae13d0N.exe	64
PID 2140 wrote to memory of 1168	2140	4a51d27aaaa0bb67872d99147bae13d0N.exe	64
PID 2140 wrote to memory of 1168	2140	4a51d27aaaa0bb67872d99147bae13d0N.exe	64
PID 2140 wrote to memory of 2308	2140	4a51d27aaaa0bb67872d99147bae13d0N.exe	66
PID 2140 wrote to memory of 2308	2140	4a51d27aaaa0bb67872d99147bae13d0N.exe	66
PID 2140 wrote to memory of 2308	2140	4a51d27aaaa0bb67872d99147bae13d0N.exe	66
PID 2140 wrote to memory of 1716	2140	4a51d27aaaa0bb67872d99147bae13d0N.exe	67
PID 2140 wrote to memory of 1716	2140	4a51d27aaaa0bb67872d99147bae13d0N.exe	67
PID 2140 wrote to memory of 1716	2140	4a51d27aaaa0bb67872d99147bae13d0N.exe	67
PID 2140 wrote to memory of 2452	2140	4a51d27aaaa0bb67872d99147bae13d0N.exe	69
PID 2140 wrote to memory of 2452	2140	4a51d27aaaa0bb67872d99147bae13d0N.exe	69
PID 2140 wrote to memory of 2452	2140	4a51d27aaaa0bb67872d99147bae13d0N.exe	69
PID 2140 wrote to memory of 1836	2140	4a51d27aaaa0bb67872d99147bae13d0N.exe	70
PID 2140 wrote to memory of 1836	2140	4a51d27aaaa0bb67872d99147bae13d0N.exe	70
PID 2140 wrote to memory of 1836	2140	4a51d27aaaa0bb67872d99147bae13d0N.exe	70
PID 2140 wrote to memory of 1124	2140	4a51d27aaaa0bb67872d99147bae13d0N.exe	72
PID 2140 wrote to memory of 1124	2140	4a51d27aaaa0bb67872d99147bae13d0N.exe	72
PID 2140 wrote to memory of 1124	2140	4a51d27aaaa0bb67872d99147bae13d0N.exe	72
PID 2140 wrote to memory of 1732	2140	4a51d27aaaa0bb67872d99147bae13d0N.exe	79
PID 2140 wrote to memory of 1732	2140	4a51d27aaaa0bb67872d99147bae13d0N.exe	79
PID 2140 wrote to memory of 1732	2140	4a51d27aaaa0bb67872d99147bae13d0N.exe	79
PID 2140 wrote to memory of 2388	2140	4a51d27aaaa0bb67872d99147bae13d0N.exe	80
PID 2140 wrote to memory of 2388	2140	4a51d27aaaa0bb67872d99147bae13d0N.exe	80
PID 2140 wrote to memory of 2388	2140	4a51d27aaaa0bb67872d99147bae13d0N.exe	80
PID 2140 wrote to memory of 2664	2140	4a51d27aaaa0bb67872d99147bae13d0N.exe	81
PID 2140 wrote to memory of 2664	2140	4a51d27aaaa0bb67872d99147bae13d0N.exe	81
PID 2140 wrote to memory of 2664	2140	4a51d27aaaa0bb67872d99147bae13d0N.exe	81
PID 2140 wrote to memory of 2652	2140	4a51d27aaaa0bb67872d99147bae13d0N.exe	85
PID 2140 wrote to memory of 2652	2140	4a51d27aaaa0bb67872d99147bae13d0N.exe	85
PID 2140 wrote to memory of 2652	2140	4a51d27aaaa0bb67872d99147bae13d0N.exe	85
PID 2652 wrote to memory of 2424	2652	cmd.exe	87
PID 2652 wrote to memory of 2424	2652	cmd.exe	87
PID 2652 wrote to memory of 2424	2652	cmd.exe	87
PID 2652 wrote to memory of 1684	2652	cmd.exe	88
PID 2652 wrote to memory of 1684	2652	cmd.exe	88
PID 2652 wrote to memory of 1684	2652	cmd.exe	88
PID 1684 wrote to memory of 584	1684	lsm.exe	89
PID 1684 wrote to memory of 584	1684	lsm.exe	89
PID 1684 wrote to memory of 584	1684	lsm.exe	89
PID 1684 wrote to memory of 320	1684	lsm.exe	90
PID 1684 wrote to memory of 320	1684	lsm.exe	90
PID 1684 wrote to memory of 320	1684	lsm.exe	90
PID 584 wrote to memory of 2376	584	WScript.exe	91
PID 584 wrote to memory of 2376	584	WScript.exe	91
PID 584 wrote to memory of 2376	584	WScript.exe	91
PID 2376 wrote to memory of 2432	2376	lsm.exe	92
PID 2376 wrote to memory of 2432	2376	lsm.exe	92
PID 2376 wrote to memory of 2432	2376	lsm.exe	92
PID 2376 wrote to memory of 3008	2376	lsm.exe	93
PID 2376 wrote to memory of 3008	2376	lsm.exe	93
PID 2376 wrote to memory of 3008	2376	lsm.exe	93
PID 2432 wrote to memory of 2448	2432	WScript.exe	94
PID 2432 wrote to memory of 2448	2432	WScript.exe	94
PID 2432 wrote to memory of 2448	2432	WScript.exe	94
PID 2448 wrote to memory of 2948	2448	lsm.exe	95

System policy modification 1 TTPs 24 IoCs

evasion

Modify Registry

T1112

Processes:

lsm.exelsm.exelsm.exe4a51d27aaaa0bb67872d99147bae13d0N.exelsm.exelsm.exelsm.exelsm.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4a51d27aaaa0bb67872d99147bae13d0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4a51d27aaaa0bb67872d99147bae13d0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4a51d27aaaa0bb67872d99147bae13d0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4a51d27aaaa0bb67872d99147bae13d0N.exe
"C:\Users\Admin\AppData\Local\Temp\4a51d27aaaa0bb67872d99147bae13d0N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2664
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VNwVo2iwMr.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2424
- - C:\Windows\debug\lsm.exe
    "C:\Windows\debug\lsm.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1684
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34a6af7f-ca3d-40c8-83fa-179d91ed9120.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:584
    - - C:\Windows\debug\lsm.exe
        
        C:\Windows\debug\lsm.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2376
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40462058-980b-4cf3-aec0-367861db6309.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\debug\lsm.exe
        
        C:\Windows\debug\lsm.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74763952-74bb-4108-96ad-56685b50acd1.vbs"
        8⤵
        
        PID:2948
        
        C:\Windows\debug\lsm.exe
        
        C:\Windows\debug\lsm.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1730fbff-42f3-4cf2-b3bc-2f5660e183e0.vbs"
        10⤵
        
        PID:296
        
        C:\Windows\debug\lsm.exe
        
        C:\Windows\debug\lsm.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e07ed1f8-d307-452d-9851-72fc6a525d85.vbs"
        12⤵
        
        PID:2484
        
        C:\Windows\debug\lsm.exe
        
        C:\Windows\debug\lsm.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95765e55-f5c6-428e-a6cb-07fd844c8ab0.vbs"
        14⤵
        
        PID:2916
        
        C:\Windows\debug\lsm.exe
        
        C:\Windows\debug\lsm.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77c07c7f-ddf3-4b5e-a63e-e3d35fc75a06.vbs"
        16⤵
        
        PID:1628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5651755-52ed-460a-8b07-ce9e1ae796fa.vbs"
        16⤵
        
        PID:780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a8961ea-9d21-49a1-bff8-b3edc2032590.vbs"
        14⤵
        
        PID:1756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a4e2aa3-744e-45d6-95fb-784b3f707e88.vbs"
        12⤵
        
        PID:1260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5644b66-1ec8-4250-b2dc-bd01d9bc5b5c.vbs"
        10⤵
        
        PID:884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1eb92b2b-8f3a-449a-a18d-b555f39747be.vbs"
        8⤵
        
        PID:1712
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\137cbba6-2154-4447-b903-0f2bbb3b61a0.vbs"
        6⤵
        
        PID:3008
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aae0aa8a-2995-46f4-be4c-59474ac78cc7.vbs"
      4⤵
      PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Windows\debug\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\debug\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\debug\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4a51d27aaaa0bb67872d99147bae13d0N4" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Games\Chess\it-IT\4a51d27aaaa0bb67872d99147bae13d0N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4a51d27aaaa0bb67872d99147bae13d0N" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Chess\it-IT\4a51d27aaaa0bb67872d99147bae13d0N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4a51d27aaaa0bb67872d99147bae13d0N4" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\Chess\it-IT\4a51d27aaaa0bb67872d99147bae13d0N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4a51d27aaaa0bb67872d99147bae13d0N4" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\4a51d27aaaa0bb67872d99147bae13d0N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4a51d27aaaa0bb67872d99147bae13d0N" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\4a51d27aaaa0bb67872d99147bae13d0N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4a51d27aaaa0bb67872d99147bae13d0N4" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\4a51d27aaaa0bb67872d99147bae13d0N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\Network Sharing\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Network Sharing\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\Network Sharing\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\4a51d27aaaa0bb67872d99147bae13d0N.exe

Filesize
4.9MB

MD5
4a51d27aaaa0bb67872d99147bae13d0

SHA1
a2b4c8f679911bc03a14e4f9be242ef9b0e4d97d

SHA256
9636a592ea745fc8173b9ec8527f94fc8733ca1157837009ead6ed97293e2d5e

SHA512
e208fb10b57ff8dcec352887ac8221bf348af5dbdae73ab1cd6885edbce26a2e81d96bf6f89bd5e482e30c2016fb73172eb714e3f77bebfe43bbd98bed381b6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1730fbff-42f3-4cf2-b3bc-2f5660e183e0.vbs

Filesize
700B

MD5
4a24e436d289d206d0f5241cbad25bd2

SHA1
2d2a42ebd01cf604a22082879ed962dd99dcc7c4

SHA256
1b10ec4a74865c34c0b186b96686b6c55ea1593079b94ba4d3d57ccf0b6a90c1

SHA512
dfffc4a4da680952f416d5497a375524179b604e59fb88c31b8e7242652b3d02b0b88cd0a2d5c97bfbf74ea4a4cf6e2adfbe5e0824103e39031eb6c11beacee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\34a6af7f-ca3d-40c8-83fa-179d91ed9120.vbs

Filesize
700B

MD5
ad0303fc1b3a3f4f41adb5877145867c

SHA1
6b27db52c738b4f01362fb2cfa2baaf923ef0924

SHA256
d210679ec5919d4080e9207d69b59910ac3906b67955d6c892f08f3eae39a455

SHA512
54231457434cdcc4ee7cb35b533f47f94e58b50a020fc7b75905d4af951cf05a7fc29a91c384db79daacc6d79ef9f936fd840528180de2dc5f61233ec08a0b53

Download Submit
C:\Users\Admin\AppData\Local\Temp\40462058-980b-4cf3-aec0-367861db6309.vbs

Filesize
700B

MD5
6d42b7671773b7fa4705f2bf9ee9084e

SHA1
9ea7a882c6c7ba493bc58806251ef35be4526fff

SHA256
172b7f5bb6daa98a13040e5838e5a69f6e35c5dd3e8a4fd24b1f5c0943709d6e

SHA512
22aabb4c440c0a9601b8e1fcba0e956c594e9a57a294611ef12f845deb29e6d403d81d3379b60ce26a647b139a01a33647d84c654027d1551e9c8a5c4fad1988

Download Submit
C:\Users\Admin\AppData\Local\Temp\74763952-74bb-4108-96ad-56685b50acd1.vbs

Filesize
700B

MD5
0c06bfc409e43b02553579e2fcd0e9a5

SHA1
e28f756f80b12725db803f29de65f053f1a35a88

SHA256
e2dbc383751e9df30442343f6e7380eb1da0833373f8c3b07889774e74429e90

SHA512
24d55caef9a4ec5301001f5baf1b64869c4bffdc62cad45f2b4eeb684e80492201ce35a2a187b2cdcdf559e2d8eb8467d7739c1817753b8bb656866320a6e2f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\77c07c7f-ddf3-4b5e-a63e-e3d35fc75a06.vbs

Filesize
700B

MD5
2d0888e33f8ee54e9869142b7c8a6313

SHA1
5e4f80c53fc91ece50fb0d754187d34b4da734b5

SHA256
f8826cef2fa3f6f10e7e5c09161e80aaffc8c04a9b211114da9aff4ce8cc4942

SHA512
5d2269813913af79c49125694243fa0cd7593fc261342c6b1077a3f1f9174c313e54018990a922e78000a6f2dff24bcbbbd6e26e93acc347aeab66628f096743

Download Submit
C:\Users\Admin\AppData\Local\Temp\790ae7fb75235c796e49c039207532319cbc2f9f.exe

Filesize
4.9MB

MD5
9456c9aff51a36c653106ea197ec4b6d

SHA1
d7e95a8f6dedde0edf2725549365e1a954423f1e

SHA256
5886a62d34042ac2c26625108f6ec6070642dcbd40800a05d33e4814e3f7a08c

SHA512
1e78ea11f804d2820f5a6a6eb18ff2aa846a59cb7dbd157e39eec8720bf4a158bf0d6c8c5e3dfbc3d20185424ec4d470d529849ab7e24d7d239cfa8ba4b62b54

Download Submit
C:\Users\Admin\AppData\Local\Temp\95765e55-f5c6-428e-a6cb-07fd844c8ab0.vbs

Filesize
700B

MD5
db4958e9890145ddbc8cf312f0550d9a

SHA1
8a99ad9103a9ca2d4888194b2381a3eaeb2500c0

SHA256
10a625ba79067425639e7b51925e65be491cd764e49f24aa08192b5e7358d183

SHA512
19d0a7bc7b1e70abe4d91beb6c343095ebc0b09331e3b03a57112ab33d066a4a4d8025a1874e1f683b3adeef511253262e4fe25d6ad2bd3a6f7988e53a425ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\VNwVo2iwMr.bat

Filesize
189B

MD5
2dfe198bfa0e7112f3475c9432a33130

SHA1
3b6eb71306ee9895170fef54aaf5a6f210c16aaf

SHA256
7c4915f13995fe1c3ca587b9b6118dcafd06148519938c50fb9cd9982be818f6

SHA512
7bb6c9a37f958efb711c9e86e6bfcfd9ec2195bd275fe9edac4362c44f984cf8d39cbadd8887a7e4bf13a736e259880b403563556884f0dc7e065082e2c79a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\aae0aa8a-2995-46f4-be4c-59474ac78cc7.vbs

Filesize
476B

MD5
ec4594c4689fe9a7db1f7912f6dccb33

SHA1
d1529aee3514deb6414b214ceee7fe156083066d

SHA256
1f310d1fdc12b0e4cf43afdb96e5a745bb5877bad7a4c21044c846d34e9ed03e

SHA512
70dbfe182304e0a56776d2596a7526a2e3ff81c712a55555615956dc08f63974808fe8dbe6c78d60451ba49019efffd44465462435244d5b43bf55c27d896b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\e07ed1f8-d307-452d-9851-72fc6a525d85.vbs

Filesize
700B

MD5
767bbfa83ca031126a401c59c6f31a04

SHA1
b2a25351e14ed466b434e1af210265d66746ffab

SHA256
9423a01963eb6d48788e1f85513cb10feaf4f80fe6ffe0650ebadb316c8cf8c8

SHA512
ca74dfb226bd94bb8769ebd51652df72fceb3f7e3d6f2e688aa10e8b59e4e2b16f937a0e31e546472b04d68b1cd37052e20790e0334fe37b42a53ef37001f8d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCFCD.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1e91f48541cdb85966439a20a4acf404

SHA1
129a895827c0eaa6f2891f85bf8e344a358f0d09

SHA256
5c2cae5570f0d7b71b7d3b1e9fd21b0a1b796b47c3e7f9b1a77439df9b738c2f

SHA512
061fd73a7f42882addb6ff8ac8413b9f3de116a09e46c364c6882fc074b7393de15e3ff2c9e1f6fcba840b89e748a57d9bcf4e5ad8412e947a9aa287ac5f7c00

Download Submit
memory/1684-184-0x00000000003A0000-0x0000000000894000-memory.dmp

Filesize
5.0MB

Download
memory/1844-258-0x0000000000370000-0x0000000000864000-memory.dmp

Filesize
5.0MB

Download
memory/2140-9-0x0000000000600000-0x000000000060A000-memory.dmp

Filesize
40KB

Download
memory/2140-1-0x00000000010E0000-0x00000000015D4000-memory.dmp

Filesize
5.0MB

Download
memory/2140-13-0x0000000000BC0000-0x0000000000BCE000-memory.dmp

Filesize
56KB

Download
memory/2140-77-0x000007FEF4F03000-0x000007FEF4F04000-memory.dmp

Filesize
4KB

Download
memory/2140-105-0x000007FEF4F00000-0x000007FEF58EC000-memory.dmp

Filesize
9.9MB

Download
memory/2140-0-0x000007FEF4F03000-0x000007FEF4F04000-memory.dmp

Filesize
4KB

Download
memory/2140-8-0x00000000003C0000-0x00000000003D0000-memory.dmp

Filesize
64KB

Download
memory/2140-144-0x000007FEF4F00000-0x000007FEF58EC000-memory.dmp

Filesize
9.9MB

Download
memory/2140-2-0x000000001B160000-0x000000001B28E000-memory.dmp

Filesize
1.2MB

Download
memory/2140-11-0x0000000000620000-0x000000000062A000-memory.dmp

Filesize
40KB

Download
memory/2140-15-0x0000000000D70000-0x0000000000D78000-memory.dmp

Filesize
32KB

Download
memory/2140-10-0x0000000000610000-0x0000000000622000-memory.dmp

Filesize
72KB

Download
memory/2140-12-0x0000000000630000-0x000000000063E000-memory.dmp

Filesize
56KB

Download
memory/2140-16-0x0000000000D80000-0x0000000000D8C000-memory.dmp

Filesize
48KB

Download
memory/2140-4-0x0000000000380000-0x000000000039C000-memory.dmp

Filesize
112KB

Download
memory/2140-7-0x00000000005E0000-0x00000000005F6000-memory.dmp

Filesize
88KB

Download
memory/2140-3-0x000007FEF4F00000-0x000007FEF58EC000-memory.dmp

Filesize
9.9MB

Download
memory/2140-6-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/2140-14-0x0000000000BD0000-0x0000000000BD8000-memory.dmp

Filesize
32KB

Download
memory/2140-5-0x00000000003A0000-0x00000000003A8000-memory.dmp

Filesize
32KB

Download
memory/2308-145-0x0000000001F20000-0x0000000001F28000-memory.dmp

Filesize
32KB

Download
memory/2308-142-0x000000001B280000-0x000000001B562000-memory.dmp

Filesize
2.9MB

Download
memory/2376-198-0x00000000002D0000-0x00000000007C4000-memory.dmp

Filesize
5.0MB

Download
memory/2448-213-0x00000000011E0000-0x00000000016D4000-memory.dmp

Filesize
5.0MB

Download
memory/2644-273-0x0000000000FC0000-0x00000000014B4000-memory.dmp

Filesize
5.0MB

Download
memory/2656-243-0x0000000001340000-0x0000000001834000-memory.dmp

Filesize
5.0MB

Download
memory/2848-228-0x0000000000C40000-0x0000000000C52000-memory.dmp

Filesize
72KB

Download