dcrat | 272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26

Analysis

max time kernel
148s
max time network
153s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
26/10/2024, 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77FFFEE187FABB45FFC7219D421EA83F.exe
Size

1.4MB
MD5

77fffee187fabb45ffc7219d421ea83f
SHA1

3f21e5a79d674131678ac5de8eaf30bbfcbb177c
SHA256

272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26
SHA512

3c27ed77b4e5c522804b48b94b70071bc07b4227ed3f5018d45160cb192136296f75a84af770caf72c797d2ea7fa36c8d897f2d68199f0fe0123c94781452b1f
SSDEEP

24576:KufUOExyABqHwzAsZg7ySXHzf9gUQ4zWp2Wn7b5kXxK:K3zBqATEzf9gUQPn7b5kXx

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat 34 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2636	schtasks.exe
		1644	schtasks.exe
		2108	schtasks.exe
		1732	schtasks.exe
		2728	schtasks.exe
		2748	schtasks.exe
		2704	schtasks.exe
		2616	schtasks.exe
		1116	schtasks.exe
		2640	schtasks.exe
		2876	schtasks.exe
		648	schtasks.exe
		2768	schtasks.exe
		2336	schtasks.exe
		1020	schtasks.exe
		2988	schtasks.exe
		236	schtasks.exe
		1156	schtasks.exe
		1724	schtasks.exe
		2736	schtasks.exe
		2812	schtasks.exe
		2904	schtasks.exe
		2620	schtasks.exe
		2500	schtasks.exe
		2376	schtasks.exe
		2580	schtasks.exe
		3036	schtasks.exe
		2936	schtasks.exe
		1152	schtasks.exe
		2324	schtasks.exe
		1628	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		77FFFEE187FABB45FFC7219D421EA83F.exe
		2320	schtasks.exe
		2964	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 11 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\services.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.151\\77FFFEE187FABB45FFC7219D421EA83F.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\services.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.151\\77FFFEE187FABB45FFC7219D421EA83F.exe\", \"C:\\MSOCache\\All Users\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\spoolsv.exe\", \"C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\taskhost.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\services.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.151\\77FFFEE187FABB45FFC7219D421EA83F.exe\", \"C:\\MSOCache\\All Users\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\spoolsv.exe\", \"C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\taskhost.exe\", \"C:\\Windows\\de-DE\\dllhost.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\services.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.151\\77FFFEE187FABB45FFC7219D421EA83F.exe\", \"C:\\MSOCache\\All Users\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\spoolsv.exe\", \"C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\taskhost.exe\", \"C:\\Windows\\de-DE\\dllhost.exe\", \"C:\\Windows\\Microsoft.NET\\assembly\\GAC_64\\lsm.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\services.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\WmiPrvSE.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\services.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.151\\77FFFEE187FABB45FFC7219D421EA83F.exe\", \"C:\\MSOCache\\All Users\\sppsvc.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\services.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.151\\77FFFEE187FABB45FFC7219D421EA83F.exe\", \"C:\\MSOCache\\All Users\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\spoolsv.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\services.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.151\\77FFFEE187FABB45FFC7219D421EA83F.exe\", \"C:\\MSOCache\\All Users\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\spoolsv.exe\", \"C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\taskhost.exe\", \"C:\\Windows\\de-DE\\dllhost.exe\", \"C:\\Windows\\Microsoft.NET\\assembly\\GAC_64\\lsm.exe\", \"C:\\Program Files\\Internet Explorer\\images\\dllhost.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\services.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.151\\77FFFEE187FABB45FFC7219D421EA83F.exe\", \"C:\\MSOCache\\All Users\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\spoolsv.exe\", \"C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\taskhost.exe\", \"C:\\Windows\\de-DE\\dllhost.exe\", \"C:\\Windows\\Microsoft.NET\\assembly\\GAC_64\\lsm.exe\", \"C:\\Program Files\\Internet Explorer\\images\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\taskhost.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\services.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.151\\77FFFEE187FABB45FFC7219D421EA83F.exe\", \"C:\\MSOCache\\All Users\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\spoolsv.exe\", \"C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\taskhost.exe\", \"C:\\Windows\\de-DE\\dllhost.exe\", \"C:\\Windows\\Microsoft.NET\\assembly\\GAC_64\\lsm.exe\", \"C:\\Program Files\\Internet Explorer\\images\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\sppsvc.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\services.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	1664	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	1664	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	1664	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	1664	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	1664	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	1664	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	1664	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	1664	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	1664	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	1664	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	648	1664	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	1664	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	1664	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	1664	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	1664	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	1664	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	1664	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	1664	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	236	1664	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	1664	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	1664	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	1664	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	1664	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	1664	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	1664	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	1664	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	1664	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	1664	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	1664	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	1664	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	1664	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	1664	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	1664	schtasks.exe	29

UAC bypass 3 TTPs 45 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2220-1-0x0000000000030000-0x000000000019A000-memory.dmp	dcrat
behavioral1/files/0x0006000000019489-20.dat	dcrat
behavioral1/memory/2084-40-0x00000000011E0000-0x000000000134A000-memory.dmp	dcrat
behavioral1/memory/2344-75-0x00000000013A0000-0x000000000150A000-memory.dmp	dcrat
behavioral1/memory/264-178-0x00000000001A0000-0x000000000030A000-memory.dmp	dcrat
behavioral1/memory/956-190-0x0000000000930000-0x0000000000A9A000-memory.dmp	dcrat

Executes dropped EXE 14 IoCs

pid	Process
2084	services.exe
784	services.exe
2656	services.exe
2344	services.exe
2660	services.exe
604	services.exe
1824	services.exe
1476	services.exe
2696	services.exe
1368	services.exe
2168	services.exe
1744	services.exe
264	services.exe
956	services.exe

Adds Run key to start application 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\de-DE\\dllhost.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\de-DE\\dllhost.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Microsoft.NET\\assembly\\GAC_64\\lsm.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Google\\Temp\\taskhost.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\services.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\WmiPrvSE.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\sppsvc.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Defender\\it-IT\\spoolsv.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\sppsvc.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\taskhost.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\taskhost.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\sppsvc.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\services.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\77FFFEE187FABB45FFC7219D421EA83F = "\"C:\\Program Files (x86)\\Google\\Update\\1.3.36.151\\77FFFEE187FABB45FFC7219D421EA83F.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\sppsvc.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Google\\Temp\\taskhost.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Internet Explorer\\images\\dllhost.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Internet Explorer\\images\\dllhost.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\WmiPrvSE.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\77FFFEE187FABB45FFC7219D421EA83F = "\"C:\\Program Files (x86)\\Google\\Update\\1.3.36.151\\77FFFEE187FABB45FFC7219D421EA83F.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Defender\\it-IT\\spoolsv.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Microsoft.NET\\assembly\\GAC_64\\lsm.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe

Checks whether UAC is enabled 1 TTPs 30 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	77FFFEE187FABB45FFC7219D421EA83F.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\taskhost.exe	77FFFEE187FABB45FFC7219D421EA83F.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\24dbde2999530e	77FFFEE187FABB45FFC7219D421EA83F.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\spoolsv.exe	77FFFEE187FABB45FFC7219D421EA83F.exe
File created	C:\Program Files\Internet Explorer\images\5940a34987c991	77FFFEE187FABB45FFC7219D421EA83F.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\f3b6ecef712a24	77FFFEE187FABB45FFC7219D421EA83F.exe
File created	C:\Program Files\Internet Explorer\images\dllhost.exe	77FFFEE187FABB45FFC7219D421EA83F.exe
File created	C:\Program Files (x86)\Google\Temp\b75386f1303e64	77FFFEE187FABB45FFC7219D421EA83F.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WmiPrvSE.exe	77FFFEE187FABB45FFC7219D421EA83F.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\77FFFEE187FABB45FFC7219D421EA83F.exe	77FFFEE187FABB45FFC7219D421EA83F.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\f0ce4a6d92b3bf	77FFFEE187FABB45FFC7219D421EA83F.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\lsm.exe	77FFFEE187FABB45FFC7219D421EA83F.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\101b941d020240	77FFFEE187FABB45FFC7219D421EA83F.exe
File created	C:\Windows\de-DE\dllhost.exe	77FFFEE187FABB45FFC7219D421EA83F.exe
File created	C:\Windows\de-DE\5940a34987c991	77FFFEE187FABB45FFC7219D421EA83F.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1644	schtasks.exe
1020	schtasks.exe
1116	schtasks.exe
2580	schtasks.exe
1724	schtasks.exe
2620	schtasks.exe
2324	schtasks.exe
2376	schtasks.exe
2964	schtasks.exe
2320	schtasks.exe
2988	schtasks.exe
2812	schtasks.exe
2936	schtasks.exe
2108	schtasks.exe
2876	schtasks.exe
2640	schtasks.exe
2636	schtasks.exe
2704	schtasks.exe
648	schtasks.exe
2336	schtasks.exe
2616	schtasks.exe
1732	schtasks.exe
2736	schtasks.exe
1156	schtasks.exe
1628	schtasks.exe
2748	schtasks.exe
2904	schtasks.exe
236	schtasks.exe
2728	schtasks.exe
2768	schtasks.exe
1152	schtasks.exe
2500	schtasks.exe
3036	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2220	77FFFEE187FABB45FFC7219D421EA83F.exe
2220	77FFFEE187FABB45FFC7219D421EA83F.exe
2220	77FFFEE187FABB45FFC7219D421EA83F.exe
2220	77FFFEE187FABB45FFC7219D421EA83F.exe
2220	77FFFEE187FABB45FFC7219D421EA83F.exe
2220	77FFFEE187FABB45FFC7219D421EA83F.exe
2220	77FFFEE187FABB45FFC7219D421EA83F.exe
2220	77FFFEE187FABB45FFC7219D421EA83F.exe
2220	77FFFEE187FABB45FFC7219D421EA83F.exe
2220	77FFFEE187FABB45FFC7219D421EA83F.exe
2220	77FFFEE187FABB45FFC7219D421EA83F.exe
2220	77FFFEE187FABB45FFC7219D421EA83F.exe
2220	77FFFEE187FABB45FFC7219D421EA83F.exe
2220	77FFFEE187FABB45FFC7219D421EA83F.exe
2220	77FFFEE187FABB45FFC7219D421EA83F.exe
2220	77FFFEE187FABB45FFC7219D421EA83F.exe
2220	77FFFEE187FABB45FFC7219D421EA83F.exe
2220	77FFFEE187FABB45FFC7219D421EA83F.exe
2220	77FFFEE187FABB45FFC7219D421EA83F.exe
2220	77FFFEE187FABB45FFC7219D421EA83F.exe
2220	77FFFEE187FABB45FFC7219D421EA83F.exe
2084	services.exe
2084	services.exe
2084	services.exe
2084	services.exe
2084	services.exe
2084	services.exe
2084	services.exe
2084	services.exe
2084	services.exe
2084	services.exe
2084	services.exe
2084	services.exe
2084	services.exe
2084	services.exe
2084	services.exe
2084	services.exe
2084	services.exe
2084	services.exe
2084	services.exe
2084	services.exe
2084	services.exe
2084	services.exe
2084	services.exe
2084	services.exe
2084	services.exe
2084	services.exe
2084	services.exe
2084	services.exe
2084	services.exe
2084	services.exe
2084	services.exe
2084	services.exe
2084	services.exe
2084	services.exe
2084	services.exe
2084	services.exe
2084	services.exe
2084	services.exe
2084	services.exe
2084	services.exe
2084	services.exe
2084	services.exe
2084	services.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2220	77FFFEE187FABB45FFC7219D421EA83F.exe
Token: SeDebugPrivilege	2084	services.exe
Token: SeDebugPrivilege	784	services.exe
Token: SeDebugPrivilege	2656	services.exe
Token: SeDebugPrivilege	2344	services.exe
Token: SeDebugPrivilege	2660	services.exe
Token: SeDebugPrivilege	604	services.exe
Token: SeDebugPrivilege	1824	services.exe
Token: SeDebugPrivilege	1476	services.exe
Token: SeDebugPrivilege	2696	services.exe
Token: SeDebugPrivilege	1368	services.exe
Token: SeDebugPrivilege	2168	services.exe
Token: SeDebugPrivilege	1744	services.exe
Token: SeDebugPrivilege	264	services.exe
Token: SeDebugPrivilege	956	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2084	2220	77FFFEE187FABB45FFC7219D421EA83F.exe	63
PID 2220 wrote to memory of 2084	2220	77FFFEE187FABB45FFC7219D421EA83F.exe	63
PID 2220 wrote to memory of 2084	2220	77FFFEE187FABB45FFC7219D421EA83F.exe	63
PID 2084 wrote to memory of 2184	2084	services.exe	64
PID 2084 wrote to memory of 2184	2084	services.exe	64
PID 2084 wrote to memory of 2184	2084	services.exe	64
PID 2084 wrote to memory of 2200	2084	services.exe	65
PID 2084 wrote to memory of 2200	2084	services.exe	65
PID 2084 wrote to memory of 2200	2084	services.exe	65
PID 2184 wrote to memory of 784	2184	WScript.exe	66
PID 2184 wrote to memory of 784	2184	WScript.exe	66
PID 2184 wrote to memory of 784	2184	WScript.exe	66
PID 784 wrote to memory of 2064	784	services.exe	67
PID 784 wrote to memory of 2064	784	services.exe	67
PID 784 wrote to memory of 2064	784	services.exe	67
PID 784 wrote to memory of 2940	784	services.exe	68
PID 784 wrote to memory of 2940	784	services.exe	68
PID 784 wrote to memory of 2940	784	services.exe	68
PID 2064 wrote to memory of 2656	2064	WScript.exe	69
PID 2064 wrote to memory of 2656	2064	WScript.exe	69
PID 2064 wrote to memory of 2656	2064	WScript.exe	69
PID 2656 wrote to memory of 1280	2656	services.exe	70
PID 2656 wrote to memory of 1280	2656	services.exe	70
PID 2656 wrote to memory of 1280	2656	services.exe	70
PID 2656 wrote to memory of 2880	2656	services.exe	71
PID 2656 wrote to memory of 2880	2656	services.exe	71
PID 2656 wrote to memory of 2880	2656	services.exe	71
PID 1280 wrote to memory of 2344	1280	WScript.exe	72
PID 1280 wrote to memory of 2344	1280	WScript.exe	72
PID 1280 wrote to memory of 2344	1280	WScript.exe	72
PID 2344 wrote to memory of 2052	2344	services.exe	73
PID 2344 wrote to memory of 2052	2344	services.exe	73
PID 2344 wrote to memory of 2052	2344	services.exe	73
PID 2344 wrote to memory of 2152	2344	services.exe	74
PID 2344 wrote to memory of 2152	2344	services.exe	74
PID 2344 wrote to memory of 2152	2344	services.exe	74
PID 2052 wrote to memory of 2660	2052	WScript.exe	75
PID 2052 wrote to memory of 2660	2052	WScript.exe	75
PID 2052 wrote to memory of 2660	2052	WScript.exe	75
PID 2660 wrote to memory of 1692	2660	services.exe	76
PID 2660 wrote to memory of 1692	2660	services.exe	76
PID 2660 wrote to memory of 1692	2660	services.exe	76
PID 2660 wrote to memory of 560	2660	services.exe	77
PID 2660 wrote to memory of 560	2660	services.exe	77
PID 2660 wrote to memory of 560	2660	services.exe	77
PID 1692 wrote to memory of 604	1692	WScript.exe	78
PID 1692 wrote to memory of 604	1692	WScript.exe	78
PID 1692 wrote to memory of 604	1692	WScript.exe	78
PID 604 wrote to memory of 2348	604	services.exe	79
PID 604 wrote to memory of 2348	604	services.exe	79
PID 604 wrote to memory of 2348	604	services.exe	79
PID 604 wrote to memory of 2392	604	services.exe	80
PID 604 wrote to memory of 2392	604	services.exe	80
PID 604 wrote to memory of 2392	604	services.exe	80
PID 2348 wrote to memory of 1824	2348	WScript.exe	81
PID 2348 wrote to memory of 1824	2348	WScript.exe	81
PID 2348 wrote to memory of 1824	2348	WScript.exe	81
PID 1824 wrote to memory of 2668	1824	services.exe	82
PID 1824 wrote to memory of 2668	1824	services.exe	82
PID 1824 wrote to memory of 2668	1824	services.exe	82
PID 1824 wrote to memory of 1864	1824	services.exe	83
PID 1824 wrote to memory of 1864	1824	services.exe	83
PID 1824 wrote to memory of 1864	1824	services.exe	83
PID 2668 wrote to memory of 1476	2668	WScript.exe	84

System policy modification 1 TTPs 45 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\77FFFEE187FABB45FFC7219D421EA83F.exe
"C:\Users\Admin\AppData\Local\Temp\77FFFEE187FABB45FFC7219D421EA83F.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2220
- C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe
  "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2084
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15ad3b68-8f46-4b54-b07d-51f5439dd032.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2184
  - - C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe
      C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:784
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03705e0b-cc59-4294-8ddb-9b4e05240926.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2064
      - C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\201751dd-04d0-4d69-9c0b-1b9e9c9f96a5.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\239ec85d-df20-4da9-80a6-c9756e516024.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\533df304-d383-4abf-aad6-737fdf66c8ec.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d431373-65cf-4d66-bc0a-4e01b18d7d4b.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e082f022-111f-4ea1-b227-9ce3ddbbde3a.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d3267fa-b078-481a-867a-8c764a28c715.vbs"
        17⤵
        
        PID:2768
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33aa56ca-3466-48a7-bec9-d0545e7acd0d.vbs"
        19⤵
        
        PID:2188
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d9f4bf7-88a8-466c-8901-ee7ddf7c8af5.vbs"
        21⤵
        
        PID:2552
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2168
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57d0c349-a688-49bd-aee0-a9d8291c96c8.vbs"
        23⤵
        
        PID:1712
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe
        24⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1314a7d4-9bd0-436c-b08c-5b9ec570c48a.vbs"
        25⤵
        
        PID:2692
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe
        26⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8891cabd-f941-4200-9a15-7c61792c89c1.vbs"
        27⤵
        
        PID:1776
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe
        28⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d795f1b3-239c-4b3f-afb6-8cad6e537a99.vbs"
        29⤵
        
        PID:2292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f3c5ecb-9c4f-46cb-8ec4-ed57dacb6863.vbs"
        29⤵
        
        PID:2712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\082bf843-5916-43a2-8a9e-fc5dfc40d87e.vbs"
        27⤵
        
        PID:3052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50a378a5-4ef4-4522-bdfc-b26719e8f1c0.vbs"
        25⤵
        
        PID:2380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b34e7cac-d316-421b-97fd-fdcf595b772d.vbs"
        23⤵
        
        PID:2244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4702c0e8-10c5-4d83-a5ee-3442cb5e9b48.vbs"
        21⤵
        
        PID:2584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4bb7bc6c-c2d0-433d-a58a-822875ab9c9b.vbs"
        19⤵
        
        PID:2040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bfe4c77f-5145-4e22-9311-dc5136a1c14c.vbs"
        17⤵
        
        PID:2976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ad2f8a7-d2d2-4f1d-9412-6671107d6e69.vbs"
        15⤵
        
        PID:1864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2409c1d-b7cb-469e-9138-e38602e59363.vbs"
        13⤵
        
        PID:2392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eaa0768a-1657-4acb-bc7e-bc0b1cce6c9e.vbs"
        11⤵
        
        PID:560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae23ec6c-5525-45fb-b1bc-ace6fecd1ac8.vbs"
        9⤵
        
        PID:2152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75bbce3d-7dd9-4a2a-b872-0ac7af8ec113.vbs"
        7⤵
        
        PID:2880
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\240b871f-87c5-4dc2-89cb-1471277fcc6f.vbs"
        5⤵
        
        PID:2940
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40ae1005-2b41-4dba-96f8-ae42ab04375c.vbs"
    3⤵
    PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "77FFFEE187FABB45FFC7219D421EA83F7" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.151\77FFFEE187FABB45FFC7219D421EA83F.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "77FFFEE187FABB45FFC7219D421EA83F" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\1.3.36.151\77FFFEE187FABB45FFC7219D421EA83F.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "77FFFEE187FABB45FFC7219D421EA83F7" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.151\77FFFEE187FABB45FFC7219D421EA83F.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\de-DE\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_64\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\assembly\GAC_64\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_64\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\images\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\images\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Temp\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Defender\it-IT\spoolsv.exe

Filesize
1.4MB

MD5
77fffee187fabb45ffc7219d421ea83f

SHA1
3f21e5a79d674131678ac5de8eaf30bbfcbb177c

SHA256
272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26

SHA512
3c27ed77b4e5c522804b48b94b70071bc07b4227ed3f5018d45160cb192136296f75a84af770caf72c797d2ea7fa36c8d897f2d68199f0fe0123c94781452b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\03705e0b-cc59-4294-8ddb-9b4e05240926.vbs

Filesize
736B

MD5
a3eb029be8f1bc881f8008589b64a194

SHA1
4c97e1447e897fabdffa397c9547c1ca40651e46

SHA256
856ca453b334079a3d3a59d67ef1573063984083b56eed91b25f1f88d386f9f7

SHA512
6bbc61dea3ea838a87ab839189dbfa1672cd8ea5ab595d7cb04389d61cdd0687fc10e05b596459da54b345fb073459fc800f3a61c980dc14455670a8038467cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1314a7d4-9bd0-436c-b08c-5b9ec570c48a.vbs

Filesize
737B

MD5
669a4e9e0823e75f7ea5d3f01ce95da1

SHA1
27ef51b2ae851a3651a8ffc424ab3a552a632d21

SHA256
0fe0b4683521bf2e82a74db5f9b8d4d1947c5974b9f2722393ba1f29301525cb

SHA512
be33ab5982cef1b3705d7f3349036cb018f4a9a175453314dd1aa63d5326a72252739e5023d322d764c442b452f2f9719e568b573988c328fefed707b410c935

Download Submit
C:\Users\Admin\AppData\Local\Temp\15ad3b68-8f46-4b54-b07d-51f5439dd032.vbs

Filesize
737B

MD5
9403ab95f6d5a1353e31abecc417da25

SHA1
7c26ad7b1adfe97392d55bfe2fe2576e4accff8f

SHA256
367e01b5e68a2969130a4842769e3bc6feeaf7498be82286db7279fe4803c1ba

SHA512
bfa3c47e92c7d5b2e7ced93f02d38da8851da8c524d96cb617cba5ea0ab5d226b77a1eb5f206a313b73ad818fc63d2021f31bf2c2623776afaedaebc79eae677

Download Submit
C:\Users\Admin\AppData\Local\Temp\201751dd-04d0-4d69-9c0b-1b9e9c9f96a5.vbs

Filesize
737B

MD5
60eb658e58a54645df84fc3bd71cf4f8

SHA1
008ec5718df6e9fca9e2da11e31c94bb2ad0e563

SHA256
1acd013198946d5473b511daf03f3b1376fb0e7558c487aac9561606f1cca76f

SHA512
4b7a8fcb6b16961485f666776257a0541338cee7f517fff46dc874caf30eb63ec52bd7b5c830495e6b3432c346ad9e8fe59549a53c65ebd8671e7c58b7764a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\239ec85d-df20-4da9-80a6-c9756e516024.vbs

Filesize
737B

MD5
ed47ef8f3d4921748449a42d2f380967

SHA1
a5b256d429a3eb4ad8b9d1d083041e1d45f8bee7

SHA256
d7dd8fa37fdd8dbfab64d32a8fb0a374f28cbc1cd76bd20590aa02d9f3b0f645

SHA512
413cf159122879bb1b30ccbe1c1aa9280e50f1162ed3bf6c21cb6224ff971ce118ef36d15aa067500923993421d852e30a023ea70df3e0acb92acb2e85d09f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\2d431373-65cf-4d66-bc0a-4e01b18d7d4b.vbs

Filesize
736B

MD5
58918c13556f99fed91ae575a348f254

SHA1
21132c6adc2afe766b5ba90fa4ad45da71c2277d

SHA256
6ef09741e44c9c510b0b01a210908ecccce39c538434c7a67d8f448938f00d4b

SHA512
3cd20a3d14a1c43fac95755eaa5d691c094429579285d3fbdda7c24b148f5b361fc760e0836349036fe8417040b48e62d3abe5f19a32c2f874a94a2b5b9221a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\33aa56ca-3466-48a7-bec9-d0545e7acd0d.vbs

Filesize
737B

MD5
7ef1523b01dfac5ce289708911f1f4b3

SHA1
32faf69c81a2b73ed1d324afda34cb4cfa486a8b

SHA256
58cd87b5daa82baabf5413dac00f35f46b695e0af8f81ab821d5a94f36b044ff

SHA512
c54c8da2aca7d59dbe81ada508c9237e3b2657050c656bf97316e9815a461fedee161cff347abdefd125f6dddfb49e278fae10b0bc3a56f3693d049ea34b15e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\40ae1005-2b41-4dba-96f8-ae42ab04375c.vbs

Filesize
513B

MD5
59fb10e459afb8d8ba14774478c472b7

SHA1
7cb0c2a0680d1f820f85b9a2b822fd2fe0224631

SHA256
5317c3065f1d98867f1a5ea5ee6b4aa3b05960a2a613bad07375e319646fddbf

SHA512
40d122d5810d3398388b47aeee74989028dd7064c5a400ba7bb2fcde67bd8b1db5b26cf904475edb2a90fff9e285cd5c3ac612a2fd3e9489eac30dcc04ee110a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4d9f4bf7-88a8-466c-8901-ee7ddf7c8af5.vbs

Filesize
737B

MD5
c0f3feaac128f9c2b0c8aa159170cb0b

SHA1
decfc41035f11f52b5195b31f153d1ae234d79a6

SHA256
fa00c2b43a06479441cd99416a64ff7f7309a8224cd059b632cb5d48bec65768

SHA512
b25b0fe41e9501f94cb405afb5778e588ef5ec59a130c7d0e9468194bfe33a01862287191b37305dd06df9fedb89a2bf794e9d1695b1dfc7802e2fafdb3a8ce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\533df304-d383-4abf-aad6-737fdf66c8ec.vbs

Filesize
737B

MD5
1724ca8fcff85dbc4d4ae3f0aee443c5

SHA1
08395a330c923508ba6a97144cfaa8d760d42d63

SHA256
c02eea3bf0583769a8e95c26b84718ade12d47158e332ccf6882b143cb27109d

SHA512
52b83aec5e0204f02042f37d5073196abb4eae980fe9be68455027b61b956c59cdbe9c97f243e79f03ce25ba4d9cc10565c1a6c6393f5f8cda82b3eeb30b7b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\57d0c349-a688-49bd-aee0-a9d8291c96c8.vbs

Filesize
737B

MD5
4226d8fd8fca93ac3389a25d73f72a0f

SHA1
e1f1639eccbf9ec3f11e7319999f88f9c8df8bb1

SHA256
bac3e32bad4481b202f23f959669545d938b99cac9552b22010260c1246ac177

SHA512
e72234dcca95c7fd86746162fedae36d17135441d438ad73ca14bbe158038919dbadfc57ee72c8268d4c08f273373458d52d98e6ad05bb65a0ea3eb7fc5ce108

Download Submit
C:\Users\Admin\AppData\Local\Temp\5d3267fa-b078-481a-867a-8c764a28c715.vbs

Filesize
737B

MD5
e3e612d8e9a988ba069fac2c1480c7c9

SHA1
d60a0a9ac0e84f41f37ed1d71dddf5dadc536464

SHA256
3be0c893f5e350214a57cb07f23679d97eb4d5d3128e340156133fd2fb8d38af

SHA512
2c5da099b06d6ccbd6ddd3a3127cf773db145973e53dc15de621aad6371aa1e7b252a2eda1cbacecc94458003d2840ff278cfdab30b25d3c1400c87388921a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8891cabd-f941-4200-9a15-7c61792c89c1.vbs

Filesize
736B

MD5
984d39b69bc07b4c811007b113ef3c10

SHA1
8a953c8f1576823eb9eec1a363c0d93ae7f8ebca

SHA256
54d97c6815210544c04884727d7eaf67772a829c9d3a38fb396ec8da806256cd

SHA512
4d1ec2c8a73ae773497422979a42bbde7db3396d4afa39b5a3c9a8e6f725e0590ad1f1d1d26a5c51a8c07cb4051bcb73719cb6c8b3c868589b1120323b4e5ba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\d795f1b3-239c-4b3f-afb6-8cad6e537a99.vbs

Filesize
736B

MD5
455bd6e78f766b849ca6e5c68c6e379a

SHA1
71f1e4264234099319fc5ca2bdb109e3fdd6bc95

SHA256
4f77f5c28e7bb3929777fad4671d22c500db6b44e86de26ffd6c004571eefb0f

SHA512
79c62cde4ebad762f113e4ad10e555175ea8af5bfb1d8ba51de58da14e61519b72415971f322370dc5fc2043410603b060999716d6856bfdb4847a689c3aaba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\e082f022-111f-4ea1-b227-9ce3ddbbde3a.vbs

Filesize
737B

MD5
2ff06968e89e60f4dc751bfbc76d5958

SHA1
17eb0458c29e4215fcd0b13a922fd77f59f2f663

SHA256
48d952ee8abdfdbdf7a83a9394f43b6ba52a960f04d8ab62e468cb1fe9225c85

SHA512
d3ec7afb6820422b708d52fbc92adc04804103231c197952a251acff86dc1431b91aceaf484c06b885d1ab381bd6742b6e8f2b8bb85b9f98df837eda8dc6248b

Download Submit
memory/264-178-0x00000000001A0000-0x000000000030A000-memory.dmp

Filesize
1.4MB

Download
memory/604-98-0x0000000000480000-0x0000000000492000-memory.dmp

Filesize
72KB

Download
memory/784-52-0x0000000000A50000-0x0000000000A62000-memory.dmp

Filesize
72KB

Download
memory/956-190-0x0000000000930000-0x0000000000A9A000-memory.dmp

Filesize
1.4MB

Download
memory/1744-166-0x0000000000610000-0x0000000000622000-memory.dmp

Filesize
72KB

Download
memory/1824-110-0x00000000005A0000-0x00000000005B2000-memory.dmp

Filesize
72KB

Download
memory/2084-40-0x00000000011E0000-0x000000000134A000-memory.dmp

Filesize
1.4MB

Download
memory/2220-4-0x00000000002D0000-0x00000000002EC000-memory.dmp

Filesize
112KB

Download
memory/2220-2-0x000007FEF64B0000-0x000007FEF6E9C000-memory.dmp

Filesize
9.9MB

Download
memory/2220-7-0x0000000000320000-0x0000000000332000-memory.dmp

Filesize
72KB

Download
memory/2220-41-0x000007FEF64B0000-0x000007FEF6E9C000-memory.dmp

Filesize
9.9MB

Download
memory/2220-0-0x000007FEF64B3000-0x000007FEF64B4000-memory.dmp

Filesize
4KB

Download
memory/2220-6-0x0000000000310000-0x000000000031A000-memory.dmp

Filesize
40KB

Download
memory/2220-3-0x00000000002C0000-0x00000000002CE000-memory.dmp

Filesize
56KB

Download
memory/2220-5-0x00000000002F0000-0x00000000002F8000-memory.dmp

Filesize
32KB

Download
memory/2220-8-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/2220-1-0x0000000000030000-0x000000000019A000-memory.dmp

Filesize
1.4MB

Download
memory/2220-10-0x0000000000640000-0x000000000064E000-memory.dmp

Filesize
56KB

Download
memory/2220-9-0x0000000000580000-0x000000000058A000-memory.dmp

Filesize
40KB

Download
memory/2220-11-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2344-75-0x00000000013A0000-0x000000000150A000-memory.dmp

Filesize
1.4MB

Download