dcrat | e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-09-2024 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe
Size

4.9MB
MD5

d62868c1af4b6fc4a73f8473b80d6490
SHA1

f52db2fa7d9a8d0a8d93b936e2272ec37ad8c1de
SHA256

e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142
SHA512

6eae3dfcf157f56537989f5a33da3fb67791a7b2afc753d42e39838b6b0b403dd946cd625192ca66a58b2d9c69a1da01179c36fd500d34b56c6e6d4a3567a868
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	3048	schtasks.exe

UAC bypass 3 TTPs 27 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

winlogon.exewinlogon.exewinlogon.exee80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1744-2-0x000000001B530000-0x000000001B65E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2232	powershell.exe
2764	powershell.exe
444	powershell.exe
532	powershell.exe
2088	powershell.exe
3008	powershell.exe
1392	powershell.exe
2572	powershell.exe
1120	powershell.exe
1568	powershell.exe
1764	powershell.exe
2084	powershell.exe

Executes dropped EXE 8 IoCs

Processes:

winlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe

pid process

1444 winlogon.exe
612 winlogon.exe
1284 winlogon.exe
2828 winlogon.exe
2388 winlogon.exe
2372 winlogon.exe
592 winlogon.exe
3040 winlogon.exe

pid	process
1444	winlogon.exe
612	winlogon.exe
1284	winlogon.exe
2828	winlogon.exe
2388	winlogon.exe
2372	winlogon.exe
592	winlogon.exe
3040	winlogon.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

winlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exee80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe

Drops file in Program Files directory 12 IoCs

Processes:

e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\56085415360792	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\5a645b1c6ada3a	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\winlogon.exe	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\cc11b995f2a76d	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe
File opened for modification	C:\Program Files\Microsoft Office\RCX934D.tmp	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\RCX97C3.tmp	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe
File created	C:\Program Files\Microsoft Office\wininit.exe	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe
File opened for modification	C:\Program Files\Microsoft Office\wininit.exe	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\RCX99C7.tmp	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\winlogon.exe	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe

Drops file in Windows directory 1 IoCs

Processes:

e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe

description ioc process

File created C:\Windows\Speech\Engines\SR\en-US\csrss.exe e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Speech\Engines\SR\en-US\csrss.exe	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
1676	schtasks.exe
2932	schtasks.exe
3044	schtasks.exe
2744	schtasks.exe
2812	schtasks.exe
2024	schtasks.exe
1840	schtasks.exe
1576	schtasks.exe
2512	schtasks.exe
2560	schtasks.exe
1444	schtasks.exe
3060	schtasks.exe
2704	schtasks.exe
2748	schtasks.exe
2624	schtasks.exe
1636	schtasks.exe
1848	schtasks.exe
2152	schtasks.exe
1508	schtasks.exe
1556	schtasks.exe
2120	schtasks.exe
2352	schtasks.exe
2868	schtasks.exe
2488	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe

pid	process
1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe
1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe
1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe
1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe
1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe
2764	powershell.exe
1764	powershell.exe
2572	powershell.exe
3008	powershell.exe
532	powershell.exe
1120	powershell.exe
2084	powershell.exe
1392	powershell.exe
1568	powershell.exe
444	powershell.exe
2232	powershell.exe
2088	powershell.exe
1444	winlogon.exe
612	winlogon.exe
1284	winlogon.exe
2828	winlogon.exe
2388	winlogon.exe
2372	winlogon.exe
592	winlogon.exe
3040	winlogon.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	444	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	1444	winlogon.exe
Token: SeDebugPrivilege	612	winlogon.exe
Token: SeDebugPrivilege	1284	winlogon.exe
Token: SeDebugPrivilege	2828	winlogon.exe
Token: SeDebugPrivilege	2388	winlogon.exe
Token: SeDebugPrivilege	2372	winlogon.exe
Token: SeDebugPrivilege	592	winlogon.exe
Token: SeDebugPrivilege	3040	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.execmd.exewinlogon.exeWScript.exewinlogon.exeWScript.exewinlogon.exe

description	pid	process	target process
PID 1744 wrote to memory of 3008	1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe	powershell.exe
PID 1744 wrote to memory of 3008	1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe	powershell.exe
PID 1744 wrote to memory of 3008	1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe	powershell.exe
PID 1744 wrote to memory of 1392	1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe	powershell.exe
PID 1744 wrote to memory of 1392	1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe	powershell.exe
PID 1744 wrote to memory of 1392	1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe	powershell.exe
PID 1744 wrote to memory of 1764	1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe	powershell.exe
PID 1744 wrote to memory of 1764	1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe	powershell.exe
PID 1744 wrote to memory of 1764	1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe	powershell.exe
PID 1744 wrote to memory of 2084	1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe	powershell.exe
PID 1744 wrote to memory of 2084	1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe	powershell.exe
PID 1744 wrote to memory of 2084	1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe	powershell.exe
PID 1744 wrote to memory of 2572	1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe	powershell.exe
PID 1744 wrote to memory of 2572	1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe	powershell.exe
PID 1744 wrote to memory of 2572	1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe	powershell.exe
PID 1744 wrote to memory of 2232	1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe	powershell.exe
PID 1744 wrote to memory of 2232	1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe	powershell.exe
PID 1744 wrote to memory of 2232	1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe	powershell.exe
PID 1744 wrote to memory of 2764	1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe	powershell.exe
PID 1744 wrote to memory of 2764	1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe	powershell.exe
PID 1744 wrote to memory of 2764	1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe	powershell.exe
PID 1744 wrote to memory of 444	1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe	powershell.exe
PID 1744 wrote to memory of 444	1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe	powershell.exe
PID 1744 wrote to memory of 444	1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe	powershell.exe
PID 1744 wrote to memory of 1120	1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe	powershell.exe
PID 1744 wrote to memory of 1120	1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe	powershell.exe
PID 1744 wrote to memory of 1120	1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe	powershell.exe
PID 1744 wrote to memory of 1568	1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe	powershell.exe
PID 1744 wrote to memory of 1568	1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe	powershell.exe
PID 1744 wrote to memory of 1568	1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe	powershell.exe
PID 1744 wrote to memory of 532	1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe	powershell.exe
PID 1744 wrote to memory of 532	1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe	powershell.exe
PID 1744 wrote to memory of 532	1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe	powershell.exe
PID 1744 wrote to memory of 2088	1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe	powershell.exe
PID 1744 wrote to memory of 2088	1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe	powershell.exe
PID 1744 wrote to memory of 2088	1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe	powershell.exe
PID 1744 wrote to memory of 1492	1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe	cmd.exe
PID 1744 wrote to memory of 1492	1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe	cmd.exe
PID 1744 wrote to memory of 1492	1744	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe	cmd.exe
PID 1492 wrote to memory of 2476	1492	cmd.exe	w32tm.exe
PID 1492 wrote to memory of 2476	1492	cmd.exe	w32tm.exe
PID 1492 wrote to memory of 2476	1492	cmd.exe	w32tm.exe
PID 1492 wrote to memory of 1444	1492	cmd.exe	winlogon.exe
PID 1492 wrote to memory of 1444	1492	cmd.exe	winlogon.exe
PID 1492 wrote to memory of 1444	1492	cmd.exe	winlogon.exe
PID 1444 wrote to memory of 756	1444	winlogon.exe	WScript.exe
PID 1444 wrote to memory of 756	1444	winlogon.exe	WScript.exe
PID 1444 wrote to memory of 756	1444	winlogon.exe	WScript.exe
PID 1444 wrote to memory of 2804	1444	winlogon.exe	WScript.exe
PID 1444 wrote to memory of 2804	1444	winlogon.exe	WScript.exe
PID 1444 wrote to memory of 2804	1444	winlogon.exe	WScript.exe
PID 756 wrote to memory of 612	756	WScript.exe	winlogon.exe
PID 756 wrote to memory of 612	756	WScript.exe	winlogon.exe
PID 756 wrote to memory of 612	756	WScript.exe	winlogon.exe
PID 612 wrote to memory of 3000	612	winlogon.exe	WScript.exe
PID 612 wrote to memory of 3000	612	winlogon.exe	WScript.exe
PID 612 wrote to memory of 3000	612	winlogon.exe	WScript.exe
PID 612 wrote to memory of 1996	612	winlogon.exe	WScript.exe
PID 612 wrote to memory of 1996	612	winlogon.exe	WScript.exe
PID 612 wrote to memory of 1996	612	winlogon.exe	WScript.exe
PID 3000 wrote to memory of 1284	3000	WScript.exe	winlogon.exe
PID 3000 wrote to memory of 1284	3000	WScript.exe	winlogon.exe
PID 3000 wrote to memory of 1284	3000	WScript.exe	winlogon.exe
PID 1284 wrote to memory of 1224	1284	winlogon.exe	WScript.exe

System policy modification 1 TTPs 27 IoCs

evasion

Modify Registry

T1112

Processes:

e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe
"C:\Users\Admin\AppData\Local\Temp\e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wlP7rKMSPM.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:2476

C:\Program Files (x86)\Windows NT\TableTextService\it-IT\winlogon.exe
"C:\Program Files (x86)\Windows NT\TableTextService\it-IT\winlogon.exe"
3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1444

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55ffe019-1441-4d52-b98d-722e4d1c3548.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:756

C:\Program Files (x86)\Windows NT\TableTextService\it-IT\winlogon.exe
"C:\Program Files (x86)\Windows NT\TableTextService\it-IT\winlogon.exe"
5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:612

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\645a6944-7d14-4498-8c6d-258ef41a35ba.vbs"
6⤵
- Suspicious use of WriteProcessMemory
PID:3000

C:\Program Files (x86)\Windows NT\TableTextService\it-IT\winlogon.exe
"C:\Program Files (x86)\Windows NT\TableTextService\it-IT\winlogon.exe"
7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1284

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4cb11a5d-8384-4c9a-93be-15b75f247b0d.vbs"
8⤵
PID:1224

C:\Program Files (x86)\Windows NT\TableTextService\it-IT\winlogon.exe
"C:\Program Files (x86)\Windows NT\TableTextService\it-IT\winlogon.exe"
9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2828

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55ce00dc-e1f7-4692-9a62-8192bfb17981.vbs"
10⤵
PID:1988

C:\Program Files (x86)\Windows NT\TableTextService\it-IT\winlogon.exe
"C:\Program Files (x86)\Windows NT\TableTextService\it-IT\winlogon.exe"
11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2388

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7e227e3-0f42-4c39-8252-f5080f50377d.vbs"
12⤵
PID:2984

C:\Program Files (x86)\Windows NT\TableTextService\it-IT\winlogon.exe
"C:\Program Files (x86)\Windows NT\TableTextService\it-IT\winlogon.exe"
13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2372

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9413a06-3d4c-4401-88b1-faa0eac70bd8.vbs"
14⤵
PID:2076

C:\Program Files (x86)\Windows NT\TableTextService\it-IT\winlogon.exe
"C:\Program Files (x86)\Windows NT\TableTextService\it-IT\winlogon.exe"
15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:592

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca78f831-6dbe-4730-b7d2-af89b605d3ad.vbs"
16⤵
PID:2036

C:\Program Files (x86)\Windows NT\TableTextService\it-IT\winlogon.exe
"C:\Program Files (x86)\Windows NT\TableTextService\it-IT\winlogon.exe"
17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3040

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a03b01fa-2a48-49e9-b010-64c0bc927c0b.vbs"
18⤵
PID:2140

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88afa07b-33fb-453f-9c72-2849612ec666.vbs"
18⤵
PID:1708

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b5d0086-9b54-446d-b7c7-42b0a8f29380.vbs"
16⤵
PID:2616

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9501e609-1c00-4df2-b463-635c50efd5a5.vbs"
14⤵
PID:636

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\517986fe-220a-4e6f-994b-25a224b8340d.vbs"
12⤵
PID:1936

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e026ff71-6ac6-4d1a-bc3a-8c86f533c379.vbs"
10⤵
PID:2624

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\550723fe-4ac2-414f-a262-1811eace976c.vbs"
8⤵
PID:2864

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78c4dba4-c1be-4905-afdc-9e764f815700.vbs"
6⤵
PID:1996

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21bdf1ab-cb9f-4180-98f0-8c46afdaad35.vbs"
4⤵
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Links\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\Links\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Links\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142Ne" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142Ne" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Reference Assemblies\Microsoft\e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142N.exe
Filesize
4.9MB

MD5
d62868c1af4b6fc4a73f8473b80d6490

SHA1
f52db2fa7d9a8d0a8d93b936e2272ec37ad8c1de

SHA256
e80d1f406fd2931d5531049905b14abc6ba500f13d02d7fb61465e97fffee142

SHA512
6eae3dfcf157f56537989f5a33da3fb67791a7b2afc753d42e39838b6b0b403dd946cd625192ca66a58b2d9c69a1da01179c36fd500d34b56c6e6d4a3567a868

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\it-IT\winlogon.exe
Filesize
4.9MB

MD5
59bc4461fdd7a78748ac2b814f8d0526

SHA1
7997c1e146001cec45d54f1f41e2060aee4a5344

SHA256
362ae21ec21a37e0263e9ffa1bf08b7d3368bad4780382ff1894ad8d26042c5b

SHA512
766f6aa4f27f882fded8c40439022bf4810ed1d319e7ca60c696f780cd91973daf4f8f9468aa4b5d2f543bb9209e7dff10149ced21fdaf432565f21effec05f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\21bdf1ab-cb9f-4180-98f0-8c46afdaad35.vbs
Filesize
521B

MD5
ed665f336eed91033dd3e4bfad3c04ce

SHA1
524ce1062c27b25073eb6678eedf4c9b67134116

SHA256
9c28211a7c9cc60531688b873a680886b8943aadbd6b6ba1420755f7accb9efd

SHA512
2dda88ae4adcf735fa1e2a164a2fa3901ba4cfe8818844e1bc7153db8af8d9ee12a34d2129c2b861b549ed844cb0882921bd63b284533957acf78be39d606048

Download Submit
C:\Users\Admin\AppData\Local\Temp\4cb11a5d-8384-4c9a-93be-15b75f247b0d.vbs
Filesize
745B

MD5
0108fe9a400c65afa6c6bbec99e17ce7

SHA1
37bb5588cfe806da207c39123f2d73fce20617ee

SHA256
3895aca85d81891a68d44a0f66a04da0e1fcb35e58f76164c1a7efb94d89dc99

SHA512
d720d7904e9f748867edf49ff60db4d891fdaf09ba372fa1e52dfaad09160873a02a83f392a5da366faeabb5f7fe931e7745477b584e7104603679bb5dabe68f

Download Submit
C:\Users\Admin\AppData\Local\Temp\55ce00dc-e1f7-4692-9a62-8192bfb17981.vbs
Filesize
745B

MD5
25b5fa5d5b9cd200f04204edec20638c

SHA1
2e6d649d975350a58d03fbbfa9b831a5de7940d7

SHA256
7d0c32bb8f87b707670bb8580a4697438fd0256c1b3928ed63f6bf34d2a8a43e

SHA512
fc211af508c696c12a6919360d9fab4bac0a22b93eb51da059bc53abde0da242bb3c5ded6daabf9fdc18256185bc383a51090a2a9508732485acda7472e7d042

Download Submit
C:\Users\Admin\AppData\Local\Temp\55ffe019-1441-4d52-b98d-722e4d1c3548.vbs
Filesize
745B

MD5
3a609263de842e9be6baf5e6ea18d322

SHA1
90f9ac2795815fffd2ae4f9469da802a8a606e43

SHA256
119dbfdadda282c0fbee288a026020487c8b28e4c1ae856e189b873c4bf422a9

SHA512
892592fc39b0476f809058be94c39ddbfe682fa2b7e688f60bb408b91fc2c0957635c82e99a17c2c6d03daef9e54ceb2bd32baad137d6f502830d9296052cd23

Download Submit
C:\Users\Admin\AppData\Local\Temp\645a6944-7d14-4498-8c6d-258ef41a35ba.vbs
Filesize
744B

MD5
7919e4dec16187a6651ea5ebdd4d0468

SHA1
ebee1ce4b4a4811b45ced0b4e0ba83af8481a8ec

SHA256
a9bba33b47665378dc826da25a69ca8ba790d29759f8ff2a1ecd8695b545a265

SHA512
3c9daa032c754059d2f5560b061c4b96c642be0365bdc27d94d0911e6ead4cf61e9310dffc9b15c1ffb7a77a9dcddd24a732ef54d8095a796080a35c3bf021fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7e227e3-0f42-4c39-8252-f5080f50377d.vbs
Filesize
745B

MD5
6b0be8c977275927ea86675796ecb68d

SHA1
29bac90a2281b401c7f97305addcf5c29e695ea3

SHA256
95e211b612bb168c7a47c889ff490b8a7aca271abb8417b271afd6958f55e3fe

SHA512
2e1345f2b8712fe48ea71921c2ccb222522e8c9209f9facb04676e3900a9d40a665e00a024f62a428ba9bc28666df6205c442e9942b2b9ec8366b7d8d53589c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\c9413a06-3d4c-4401-88b1-faa0eac70bd8.vbs
Filesize
745B

MD5
f94dd20463c327291a0ef73c930755f0

SHA1
c91eedc5a9df9adce70adfe6574a0fd2ba4565a7

SHA256
c1b70148b2f636734378d840c336034ae640c16624194e6fc41f5433444b91af

SHA512
33128101342e0568ce2e3e90d6135d6ae95a86a3e19d47847c7b1e9b8c4968d155f4f35cf840640e834a738e0a19a83031d2d5e4ceab8495642e3a2c1a798552

Download Submit
C:\Users\Admin\AppData\Local\Temp\ca78f831-6dbe-4730-b7d2-af89b605d3ad.vbs
Filesize
744B

MD5
dc9fc7e59cd9b446ef8fa672e4c7e898

SHA1
76cea02d73eba423479dfeb2e6c625ee48693c87

SHA256
694625e98b7dd6c20257e98cbd5951bd5cb9d6b09191b4658d0993a18cfe6003

SHA512
42e569eadf352ddf4bda104ce874b835515b4550a399e2ac65c3ff594cd3201d78eef63a741e59990f94281067f439cc1d7a9db3643ccb29bf713e0f81ff4882

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC699.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wlP7rKMSPM.bat
Filesize
234B

MD5
b8dd3dc10b36f5b635d90be07be3e7e3

SHA1
7960604f8cbe23d36999924818ae5bd0e266b66c

SHA256
245f5b55cf991d6a29864daf5eb69d8f6bf5f7dc9404b4bda737e666d271cbbc

SHA512
cbbf567b8b75c3cd5f0599bea2898aff5d338167e00d9aef4f4d967cfff5bdf83a2b65998eed567a28be87a2fc189099af4fdda787e8761a04af719e6089d9b4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CUMF7098O9G9DFN7KHFM.temp
Filesize
7KB

MD5
790b5635d44979677de4adc362cf7bba

SHA1
2dc708aae2d64816da84f48ff0053b9a4557f198

SHA256
7bf22f0960831d68c2296af1528b4a92756d1eb14ba24fdee6e5b396a822d92c

SHA512
71d4a14e626d3eab1248a27ec3b644c6022c2f56c5bf9e1687855b373a8d54d50bdb874a40e742e1b5ef19c303f990f1c58cd36a51b4c68cc84d3be4665cbefe

Download Submit
memory/592-249-0x0000000000690000-0x00000000006A2000-memory.dmp

Filesize
72KB

Download
memory/592-248-0x0000000001000000-0x00000000014F4000-memory.dmp

Filesize
5.0MB

Download
memory/1444-160-0x0000000001260000-0x0000000001754000-memory.dmp

Filesize
5.0MB

Download
memory/1744-7-0x0000000000470000-0x0000000000486000-memory.dmp

Filesize
88KB

Download
memory/1744-10-0x00000000004A0000-0x00000000004B2000-memory.dmp

Filesize
72KB

Download
memory/1744-16-0x0000000000B20000-0x0000000000B2C000-memory.dmp

Filesize
48KB

Download
memory/1744-15-0x00000000005E0000-0x00000000005E8000-memory.dmp

Filesize
32KB

Download
memory/1744-0-0x000007FEF5423000-0x000007FEF5424000-memory.dmp

Filesize
4KB

Download
memory/1744-11-0x00000000004B0000-0x00000000004BA000-memory.dmp

Filesize
40KB

Download
memory/1744-131-0x000007FEF5420000-0x000007FEF5E0C000-memory.dmp

Filesize
9.9MB

Download
memory/1744-12-0x00000000004C0000-0x00000000004CE000-memory.dmp

Filesize
56KB

Download
memory/1744-13-0x00000000005C0000-0x00000000005CE000-memory.dmp

Filesize
56KB

Download
memory/1744-14-0x00000000005D0000-0x00000000005D8000-memory.dmp

Filesize
32KB

Download
memory/1744-9-0x0000000000490000-0x000000000049A000-memory.dmp

Filesize
40KB

Download
memory/1744-8-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/1744-5-0x00000000003C0000-0x00000000003C8000-memory.dmp

Filesize
32KB

Download
memory/1744-6-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/1744-4-0x00000000003A0000-0x00000000003BC000-memory.dmp

Filesize
112KB

Download
memory/1744-3-0x000007FEF5420000-0x000007FEF5E0C000-memory.dmp

Filesize
9.9MB

Download
memory/1744-2-0x000000001B530000-0x000000001B65E000-memory.dmp

Filesize
1.2MB

Download
memory/1744-1-0x0000000000D30000-0x0000000001224000-memory.dmp

Filesize
5.0MB

Download
memory/1764-107-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2372-233-0x0000000002350000-0x0000000002362000-memory.dmp

Filesize
72KB

Download
memory/2372-232-0x00000000003E0000-0x00000000008D4000-memory.dmp

Filesize
5.0MB

Download
memory/2388-217-0x00000000001F0000-0x00000000006E4000-memory.dmp

Filesize
5.0MB

Download
memory/2764-106-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/2828-202-0x0000000001380000-0x0000000001874000-memory.dmp

Filesize
5.0MB

Download