dcrat | 272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26

Analysis

max time kernel
149s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26/10/2024, 03:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77FFFEE187FABB45FFC7219D421EA83F.exe
Size

1.4MB
MD5

77fffee187fabb45ffc7219d421ea83f
SHA1

3f21e5a79d674131678ac5de8eaf30bbfcbb177c
SHA256

272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26
SHA512

3c27ed77b4e5c522804b48b94b70071bc07b4227ed3f5018d45160cb192136296f75a84af770caf72c797d2ea7fa36c8d897f2d68199f0fe0123c94781452b1f
SSDEEP

24576:KufUOExyABqHwzAsZg7ySXHzf9gUQ4zWp2Wn7b5kXxK:K3zBqATEzf9gUQPn7b5kXx

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat 38 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
File created	C:\Program Files\Windows Media Player\Skins\c5b4cb5e9653cc		77FFFEE187FABB45FFC7219D421EA83F.exe
		2876	schtasks.exe
		552	schtasks.exe
		2960	schtasks.exe
		1480	schtasks.exe
		2928	schtasks.exe
		1088	schtasks.exe
		2040	schtasks.exe
		2288	schtasks.exe
		1104	schtasks.exe
		2632	schtasks.exe
		2836	schtasks.exe
		2188	schtasks.exe
		2416	schtasks.exe
		2424	schtasks.exe
		2388	schtasks.exe
		2732	schtasks.exe
		2728	schtasks.exe
		2688	schtasks.exe
		756	schtasks.exe
		2712	schtasks.exe
		2848	schtasks.exe
		2800	schtasks.exe
		1948	schtasks.exe
		1624	schtasks.exe
		2504	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		77FFFEE187FABB45FFC7219D421EA83F.exe
		2768	schtasks.exe
		3020	schtasks.exe
		1456	schtasks.exe
		1640	schtasks.exe
		960	schtasks.exe
		2796	schtasks.exe
		1444	schtasks.exe
		2972	schtasks.exe
		1880	schtasks.exe
		1860	schtasks.exe
		2352	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\Skins\\services.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\System.exe\", \"C:\\Program Files\\Internet Explorer\\csrss.exe\", \"C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\csrss.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\System.exe\", \"C:\\Windows\\Vss\\77FFFEE187FABB45FFC7219D421EA83F.exe\", \"C:\\Windows\\Tasks\\lsm.exe\", \"C:\\Program Files\\Common Files\\SpeechEngines\\dwm.exe\", \"C:\\MSOCache\\All Users\\sppsvc.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\Skins\\services.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\System.exe\", \"C:\\Program Files\\Internet Explorer\\csrss.exe\", \"C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\csrss.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\System.exe\", \"C:\\Windows\\Vss\\77FFFEE187FABB45FFC7219D421EA83F.exe\", \"C:\\Windows\\Tasks\\lsm.exe\", \"C:\\Program Files\\Common Files\\SpeechEngines\\dwm.exe\", \"C:\\MSOCache\\All Users\\sppsvc.exe\", \"C:\\Program Files\\DVD Maker\\en-US\\csrss.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\Skins\\services.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\System.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\Skins\\services.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\smss.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\Skins\\services.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\System.exe\", \"C:\\Program Files\\Internet Explorer\\csrss.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\Skins\\services.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\System.exe\", \"C:\\Program Files\\Internet Explorer\\csrss.exe\", \"C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\csrss.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\System.exe\", \"C:\\Windows\\Vss\\77FFFEE187FABB45FFC7219D421EA83F.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\Skins\\services.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\System.exe\", \"C:\\Program Files\\Internet Explorer\\csrss.exe\", \"C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\csrss.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\System.exe\", \"C:\\Windows\\Vss\\77FFFEE187FABB45FFC7219D421EA83F.exe\", \"C:\\Windows\\Tasks\\lsm.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\Skins\\services.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\Skins\\services.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\System.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\Skins\\services.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\System.exe\", \"C:\\Program Files\\Internet Explorer\\csrss.exe\", \"C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\csrss.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\Skins\\services.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\System.exe\", \"C:\\Program Files\\Internet Explorer\\csrss.exe\", \"C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\csrss.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\System.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\Skins\\services.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\System.exe\", \"C:\\Program Files\\Internet Explorer\\csrss.exe\", \"C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\csrss.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\System.exe\", \"C:\\Windows\\Vss\\77FFFEE187FABB45FFC7219D421EA83F.exe\", \"C:\\Windows\\Tasks\\lsm.exe\", \"C:\\Program Files\\Common Files\\SpeechEngines\\dwm.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	2804	schtasks.exe	30

UAC bypass 3 TTPs 42 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2364-1-0x00000000001E0000-0x000000000034A000-memory.dmp	dcrat
behavioral1/files/0x000500000001a41c-20.dat	dcrat
behavioral1/memory/1984-42-0x0000000000320000-0x000000000048A000-memory.dmp	dcrat
behavioral1/memory/1440-54-0x0000000000E90000-0x0000000000FFA000-memory.dmp	dcrat
behavioral1/memory/2792-66-0x00000000012B0000-0x000000000141A000-memory.dmp	dcrat
behavioral1/memory/1924-112-0x0000000000120000-0x000000000028A000-memory.dmp	dcrat
behavioral1/memory/2504-125-0x0000000000C20000-0x0000000000D8A000-memory.dmp	dcrat
behavioral1/memory/2584-137-0x0000000000C90000-0x0000000000DFA000-memory.dmp	dcrat
behavioral1/memory/2084-149-0x0000000001280000-0x00000000013EA000-memory.dmp	dcrat

Executes dropped EXE 13 IoCs

pid	Process
1984	smss.exe
1440	smss.exe
2792	smss.exe
1856	smss.exe
1312	smss.exe
1596	smss.exe
1924	smss.exe
2504	smss.exe
2584	smss.exe
2084	smss.exe
1532	smss.exe
2624	smss.exe
2188	smss.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\DVD Maker\\en-US\\csrss.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\csrss.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\smss.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\smss.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\csrss.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\77FFFEE187FABB45FFC7219D421EA83F = "\"C:\\Windows\\Vss\\77FFFEE187FABB45FFC7219D421EA83F.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\77FFFEE187FABB45FFC7219D421EA83F = "\"C:\\Windows\\Vss\\77FFFEE187FABB45FFC7219D421EA83F.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Tasks\\lsm.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Common Files\\SpeechEngines\\dwm.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Windows Media Player\\Skins\\services.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\DVD Maker\\en-US\\csrss.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Microsoft.NET\\System.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Internet Explorer\\csrss.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Windows Journal\\ja-JP\\System.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Windows Journal\\ja-JP\\System.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\sppsvc.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Microsoft.NET\\System.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\System.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\System.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Internet Explorer\\csrss.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Tasks\\lsm.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Common Files\\SpeechEngines\\dwm.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\sppsvc.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Windows Media Player\\Skins\\services.exe\""	77FFFEE187FABB45FFC7219D421EA83F.exe

Checks whether UAC is enabled 1 TTPs 28 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	77FFFEE187FABB45FFC7219D421EA83F.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\27d1bcfc3c54e0	77FFFEE187FABB45FFC7219D421EA83F.exe
File created	C:\Program Files\Internet Explorer\csrss.exe	77FFFEE187FABB45FFC7219D421EA83F.exe
File created	C:\Program Files\Windows Journal\ja-JP\27d1bcfc3c54e0	77FFFEE187FABB45FFC7219D421EA83F.exe
File created	C:\Program Files\Common Files\SpeechEngines\dwm.exe	77FFFEE187FABB45FFC7219D421EA83F.exe
File created	C:\Program Files\Common Files\SpeechEngines\6cb0b6c459d5d3	77FFFEE187FABB45FFC7219D421EA83F.exe
File created	C:\Program Files\Windows Media Player\Skins\services.exe	77FFFEE187FABB45FFC7219D421EA83F.exe
File opened for modification	C:\Program Files\Windows Media Player\Skins\services.exe	77FFFEE187FABB45FFC7219D421EA83F.exe
File created	C:\Program Files\Windows Media Player\Skins\c5b4cb5e9653cc	77FFFEE187FABB45FFC7219D421EA83F.exe
File created	C:\Program Files\DVD Maker\en-US\csrss.exe	77FFFEE187FABB45FFC7219D421EA83F.exe
File created	C:\Program Files\DVD Maker\en-US\886983d96e3d3e	77FFFEE187FABB45FFC7219D421EA83F.exe
File created	C:\Program Files (x86)\Microsoft.NET\System.exe	77FFFEE187FABB45FFC7219D421EA83F.exe
File created	C:\Program Files\Internet Explorer\886983d96e3d3e	77FFFEE187FABB45FFC7219D421EA83F.exe
File created	C:\Program Files\Windows Journal\ja-JP\System.exe	77FFFEE187FABB45FFC7219D421EA83F.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\886983d96e3d3e	77FFFEE187FABB45FFC7219D421EA83F.exe
File created	C:\Windows\Vss\77FFFEE187FABB45FFC7219D421EA83F.exe	77FFFEE187FABB45FFC7219D421EA83F.exe
File created	C:\Windows\Vss\f0ce4a6d92b3bf	77FFFEE187FABB45FFC7219D421EA83F.exe
File created	C:\Windows\Tasks\lsm.exe	77FFFEE187FABB45FFC7219D421EA83F.exe
File created	C:\Windows\Tasks\101b941d020240	77FFFEE187FABB45FFC7219D421EA83F.exe
File created	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\csrss.exe	77FFFEE187FABB45FFC7219D421EA83F.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2728	schtasks.exe
2848	schtasks.exe
2732	schtasks.exe
2800	schtasks.exe
2796	schtasks.exe
1860	schtasks.exe
2424	schtasks.exe
1880	schtasks.exe
2712	schtasks.exe
2040	schtasks.exe
2188	schtasks.exe
2288	schtasks.exe
2416	schtasks.exe
2768	schtasks.exe
2688	schtasks.exe
2928	schtasks.exe
1640	schtasks.exe
2632	schtasks.exe
2504	schtasks.exe
1624	schtasks.exe
1480	schtasks.exe
2876	schtasks.exe
1444	schtasks.exe
2836	schtasks.exe
756	schtasks.exe
2388	schtasks.exe
960	schtasks.exe
1456	schtasks.exe
1088	schtasks.exe
1104	schtasks.exe
3020	schtasks.exe
1948	schtasks.exe
552	schtasks.exe
2972	schtasks.exe
2960	schtasks.exe
2352	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2364	77FFFEE187FABB45FFC7219D421EA83F.exe
2364	77FFFEE187FABB45FFC7219D421EA83F.exe
2364	77FFFEE187FABB45FFC7219D421EA83F.exe
2364	77FFFEE187FABB45FFC7219D421EA83F.exe
2364	77FFFEE187FABB45FFC7219D421EA83F.exe
2364	77FFFEE187FABB45FFC7219D421EA83F.exe
2364	77FFFEE187FABB45FFC7219D421EA83F.exe
1984	smss.exe
1984	smss.exe
1984	smss.exe
1984	smss.exe
1984	smss.exe
1984	smss.exe
1984	smss.exe
1984	smss.exe
1984	smss.exe
1984	smss.exe
1984	smss.exe
1984	smss.exe
1984	smss.exe
1984	smss.exe
1984	smss.exe
1984	smss.exe
1984	smss.exe
1984	smss.exe
1984	smss.exe
1984	smss.exe
1984	smss.exe
1984	smss.exe
1984	smss.exe
1984	smss.exe
1984	smss.exe
1984	smss.exe
1984	smss.exe
1984	smss.exe
1984	smss.exe
1984	smss.exe
1984	smss.exe
1984	smss.exe
1984	smss.exe
1440	smss.exe
1440	smss.exe
1440	smss.exe
1440	smss.exe
1440	smss.exe
1440	smss.exe
1440	smss.exe
1440	smss.exe
1440	smss.exe
1440	smss.exe
1440	smss.exe
1440	smss.exe
1440	smss.exe
1440	smss.exe
1440	smss.exe
1440	smss.exe
1440	smss.exe
1440	smss.exe
1440	smss.exe
1440	smss.exe
1440	smss.exe
1440	smss.exe
1440	smss.exe
1440	smss.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2364	77FFFEE187FABB45FFC7219D421EA83F.exe
Token: SeDebugPrivilege	1984	smss.exe
Token: SeDebugPrivilege	1440	smss.exe
Token: SeDebugPrivilege	2792	smss.exe
Token: SeDebugPrivilege	1856	smss.exe
Token: SeDebugPrivilege	1312	smss.exe
Token: SeDebugPrivilege	1596	smss.exe
Token: SeDebugPrivilege	1924	smss.exe
Token: SeDebugPrivilege	2504	smss.exe
Token: SeDebugPrivilege	2584	smss.exe
Token: SeDebugPrivilege	2084	smss.exe
Token: SeDebugPrivilege	1532	smss.exe
Token: SeDebugPrivilege	2624	smss.exe
Token: SeDebugPrivilege	2188	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 1984	2364	77FFFEE187FABB45FFC7219D421EA83F.exe	67
PID 2364 wrote to memory of 1984	2364	77FFFEE187FABB45FFC7219D421EA83F.exe	67
PID 2364 wrote to memory of 1984	2364	77FFFEE187FABB45FFC7219D421EA83F.exe	67
PID 1984 wrote to memory of 2228	1984	smss.exe	68
PID 1984 wrote to memory of 2228	1984	smss.exe	68
PID 1984 wrote to memory of 2228	1984	smss.exe	68
PID 1984 wrote to memory of 1448	1984	smss.exe	69
PID 1984 wrote to memory of 1448	1984	smss.exe	69
PID 1984 wrote to memory of 1448	1984	smss.exe	69
PID 2228 wrote to memory of 1440	2228	WScript.exe	71
PID 2228 wrote to memory of 1440	2228	WScript.exe	71
PID 2228 wrote to memory of 1440	2228	WScript.exe	71
PID 1440 wrote to memory of 2872	1440	smss.exe	72
PID 1440 wrote to memory of 2872	1440	smss.exe	72
PID 1440 wrote to memory of 2872	1440	smss.exe	72
PID 1440 wrote to memory of 2908	1440	smss.exe	73
PID 1440 wrote to memory of 2908	1440	smss.exe	73
PID 1440 wrote to memory of 2908	1440	smss.exe	73
PID 2872 wrote to memory of 2792	2872	WScript.exe	74
PID 2872 wrote to memory of 2792	2872	WScript.exe	74
PID 2872 wrote to memory of 2792	2872	WScript.exe	74
PID 2792 wrote to memory of 2628	2792	smss.exe	75
PID 2792 wrote to memory of 2628	2792	smss.exe	75
PID 2792 wrote to memory of 2628	2792	smss.exe	75
PID 2792 wrote to memory of 1892	2792	smss.exe	76
PID 2792 wrote to memory of 1892	2792	smss.exe	76
PID 2792 wrote to memory of 1892	2792	smss.exe	76
PID 2628 wrote to memory of 1856	2628	WScript.exe	77
PID 2628 wrote to memory of 1856	2628	WScript.exe	77
PID 2628 wrote to memory of 1856	2628	WScript.exe	77
PID 1856 wrote to memory of 1364	1856	smss.exe	78
PID 1856 wrote to memory of 1364	1856	smss.exe	78
PID 1856 wrote to memory of 1364	1856	smss.exe	78
PID 1856 wrote to memory of 2532	1856	smss.exe	79
PID 1856 wrote to memory of 2532	1856	smss.exe	79
PID 1856 wrote to memory of 2532	1856	smss.exe	79
PID 1364 wrote to memory of 1312	1364	WScript.exe	80
PID 1364 wrote to memory of 1312	1364	WScript.exe	80
PID 1364 wrote to memory of 1312	1364	WScript.exe	80
PID 1312 wrote to memory of 2216	1312	smss.exe	81
PID 1312 wrote to memory of 2216	1312	smss.exe	81
PID 1312 wrote to memory of 2216	1312	smss.exe	81
PID 1312 wrote to memory of 1472	1312	smss.exe	82
PID 1312 wrote to memory of 1472	1312	smss.exe	82
PID 1312 wrote to memory of 1472	1312	smss.exe	82
PID 2216 wrote to memory of 1596	2216	WScript.exe	83
PID 2216 wrote to memory of 1596	2216	WScript.exe	83
PID 2216 wrote to memory of 1596	2216	WScript.exe	83
PID 1596 wrote to memory of 2904	1596	smss.exe	84
PID 1596 wrote to memory of 2904	1596	smss.exe	84
PID 1596 wrote to memory of 2904	1596	smss.exe	84
PID 1596 wrote to memory of 2564	1596	smss.exe	85
PID 1596 wrote to memory of 2564	1596	smss.exe	85
PID 1596 wrote to memory of 2564	1596	smss.exe	85
PID 2904 wrote to memory of 1924	2904	WScript.exe	86
PID 2904 wrote to memory of 1924	2904	WScript.exe	86
PID 2904 wrote to memory of 1924	2904	WScript.exe	86
PID 1924 wrote to memory of 588	1924	smss.exe	87
PID 1924 wrote to memory of 588	1924	smss.exe	87
PID 1924 wrote to memory of 588	1924	smss.exe	87
PID 1924 wrote to memory of 2768	1924	smss.exe	88
PID 1924 wrote to memory of 2768	1924	smss.exe	88
PID 1924 wrote to memory of 2768	1924	smss.exe	88
PID 588 wrote to memory of 2504	588	WScript.exe	89

System policy modification 1 TTPs 42 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	77FFFEE187FABB45FFC7219D421EA83F.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\77FFFEE187FABB45FFC7219D421EA83F.exe
"C:\Users\Admin\AppData\Local\Temp\77FFFEE187FABB45FFC7219D421EA83F.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2364
- C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe
  "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1984
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f45bfc5f-e5cd-4cc0-bde8-5703966fe04a.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe
      "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1440
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96a085f8-a97a-414a-9ca4-192ff2cda939.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2872
      - C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a506f719-7226-42ab-ac34-0cc38b61d422.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1026bdbc-35b4-4441-8a8f-9bd0aa7f0914.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f3dd28f-a21e-40fe-bd1b-e167dde51a71.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb4b7e5f-0ca5-4294-b0e9-7e810b5bf2f6.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78d0edf7-5d25-4e16-8f60-7f694832ed36.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:588
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0af4b518-1c88-4e7e-92d4-aa0185a5f3ec.vbs"
        17⤵
        
        PID:756
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c666f670-231d-476a-869c-105a19394e69.vbs"
        19⤵
        
        PID:2924
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3f3a17d-630d-4efa-8968-80f1a0815f34.vbs"
        21⤵
        
        PID:2736
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe"
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e24691ce-7528-4610-b47e-e7492654d7b4.vbs"
        23⤵
        
        PID:1432
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe"
        24⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4be5ffd0-a1c6-4f16-ae44-21c8441a95c3.vbs"
        25⤵
        
        PID:1456
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe"
        26⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f4dbe59-7d26-48cc-9f55-a13ebf7c8b31.vbs"
        27⤵
        
        PID:2836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fbe348a-48b0-424f-9901-5df34ec7bea1.vbs"
        27⤵
        
        PID:1188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\925f251b-27cb-4281-8722-cc17929ebec4.vbs"
        25⤵
        
        PID:1444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\073fe2e3-020e-4f6f-b132-7da61cc72d41.vbs"
        23⤵
        
        PID:2644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45c5efad-881d-426a-9839-7e001436ded2.vbs"
        21⤵
        
        PID:2812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97faa95f-4cb8-470c-b5fe-0b2e240ed8f7.vbs"
        19⤵
        
        PID:1364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2962199e-38f2-45e2-84bb-bdd41d6d167a.vbs"
        17⤵
        
        PID:2820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de9f3825-212c-4943-9d6e-14116868f8cb.vbs"
        15⤵
        
        PID:2768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e02edaa1-2316-482c-bdb7-1a9ece93e5f6.vbs"
        13⤵
        
        PID:2564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85172093-5b62-4caf-9af9-8d0ea4688d62.vbs"
        11⤵
        
        PID:1472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ef8c678-63f1-4f5d-bb49-8d48566cd8fe.vbs"
        9⤵
        
        PID:2532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00d57176-02a0-4e23-a866-c6b0a9562a50.vbs"
        7⤵
        
        PID:1892
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6676679-061b-4394-ba24-c23b2a284d43.vbs"
        5⤵
        
        PID:2908
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce1cb4c2-9486-42ed-aab0-7f729a1b2ea7.vbs"
    3⤵
    PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\Skins\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Skins\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\Skins\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\ja-JP\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\ja-JP\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\ja-JP\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "77FFFEE187FABB45FFC7219D421EA83F7" /sc MINUTE /mo 11 /tr "'C:\Windows\Vss\77FFFEE187FABB45FFC7219D421EA83F.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "77FFFEE187FABB45FFC7219D421EA83F" /sc ONLOGON /tr "'C:\Windows\Vss\77FFFEE187FABB45FFC7219D421EA83F.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "77FFFEE187FABB45FFC7219D421EA83F7" /sc MINUTE /mo 10 /tr "'C:\Windows\Vss\77FFFEE187FABB45FFC7219D421EA83F.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Tasks\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Windows\Tasks\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\SpeechEngines\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Common Files\SpeechEngines\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\SpeechEngines\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\en-US\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Internet Explorer\csrss.exe

Filesize
1.4MB

MD5
77fffee187fabb45ffc7219d421ea83f

SHA1
3f21e5a79d674131678ac5de8eaf30bbfcbb177c

SHA256
272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26

SHA512
3c27ed77b4e5c522804b48b94b70071bc07b4227ed3f5018d45160cb192136296f75a84af770caf72c797d2ea7fa36c8d897f2d68199f0fe0123c94781452b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0af4b518-1c88-4e7e-92d4-aa0185a5f3ec.vbs

Filesize
747B

MD5
f6bce81c4100d49be5ae6b89f7a275e7

SHA1
6830b91401ed090ddf5619fa3f8bac8428fb01b5

SHA256
1fc3e31140ca0f4a0f369cd92a96e42884e485e1362cc9041b4c84f2bad4cf0e

SHA512
aeabe2bccaf105b5f628fad72d501cb090dbec8bafb386cab9a281b1a5da6b9e7d9bdfb4aea7e627181894d516b1755bd868d6394104712940e71621443bb48c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1026bdbc-35b4-4441-8a8f-9bd0aa7f0914.vbs

Filesize
747B

MD5
73029b51fd377260c23f0b9313dc2d71

SHA1
2585a9c0fe5aa0b544b0b4d173b75534109ab3e5

SHA256
553da76276e67c93a546df99bccac4745caa8dd5c308a056491043b7c9fd5197

SHA512
c99452a4c7cc44a8ea67265e52990e514100e577f86d7c773a93d403c61d8ae8274d0246561d6662618c76d4f534b49a463cf3ddc2681deb7d05e5b587eba4b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\4be5ffd0-a1c6-4f16-ae44-21c8441a95c3.vbs

Filesize
747B

MD5
16a1655988395be76bf77ad7fbdc39bd

SHA1
97f645890d6a2695cd82287bb9e4cda226ad6fcd

SHA256
e8df02e02aa8571a9abfc5f602b8b1e90c4cda6ac6a63a173bdb5c3f5fe0b2aa

SHA512
538a7c211092465f47040b4a86a8594090917fd95474ad7abd84cc068078aee12fed0ff8c4b9708dce17081f4f80a64fc0ccfee09ce6f2780dc18b13272e38de

Download Submit
C:\Users\Admin\AppData\Local\Temp\78d0edf7-5d25-4e16-8f60-7f694832ed36.vbs

Filesize
747B

MD5
fb007de97715d8c04ac156561663b2db

SHA1
cc219b4a3d52ae5efa042708bd90477a9b6f096a

SHA256
4987cec8dc910d3051eee20e9916ff3e837d8eb517399ea6c0daff05f43d3acf

SHA512
9012c4666de2bfc6ed318b5fcbea82b585c0e74dfde1c68de15562c76f38124d986a76f44aee9e095d2f0f727105c9b9db4334daa15b798884fcdf812a7be30b

Download Submit
C:\Users\Admin\AppData\Local\Temp\96a085f8-a97a-414a-9ca4-192ff2cda939.vbs

Filesize
747B

MD5
599d546a53e60c47da0536ab1ef247b3

SHA1
53282f7b74c6bde6cbb1ef06925c1247af5a17e2

SHA256
a05357508d6d842b1bfcab52f747c68254ee65729e2d96a581484e713318f81e

SHA512
867d604d6727c319d057b8e6d9fc5f254f41004dd8dec5787327865e6d25b787f49af1a1b7d8bacee4bcd60e2a9bf352b598acfe2f449764dabdc8eda990ca0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\9f3dd28f-a21e-40fe-bd1b-e167dde51a71.vbs

Filesize
747B

MD5
fa1c37c7530b67c7dc4ca18ca19ff4af

SHA1
6685697c7a9234c9d6dcf3db7f8f08d77fe4bc4d

SHA256
864bea6ab7dfe6089f13eef88713e9f84ddb41498341e526b3261093e26684b4

SHA512
1b186ecca0e17951f06e739de44d330844c84d4bd531897fdd6bbed6d0ec6c6fa92ff0e0c95409125554863f7a7fd9a8f052d890ad70b140e6608b812b177df8

Download Submit
C:\Users\Admin\AppData\Local\Temp\9f4dbe59-7d26-48cc-9f55-a13ebf7c8b31.vbs

Filesize
747B

MD5
aa898e8abf8f85430d2a051ce62c0631

SHA1
8d3ee28029d6e47318f2c92d4eb8a37232a07866

SHA256
21c1f05e3f29ffdbceb6e2648ec86194a30e0c0bb70c424f424e7e04d6103739

SHA512
1253eb2e115af90b3180c86b917b89cdabfb0034cc2c95c420b2420f2914da98300ca976cb77c594328fcb63afb36388bd77c039f7a83f5ec206d6ee4e4f5443

Download Submit
C:\Users\Admin\AppData\Local\Temp\a506f719-7226-42ab-ac34-0cc38b61d422.vbs

Filesize
747B

MD5
03e17400dae09002575bd87b8d0d3263

SHA1
4805a597fb897ef836ccb04d1026a3b6f9d51130

SHA256
a19f6585be7e3e515db54fa7a6d6876f9aef262ba59577ad956bd4f2a3b5add8

SHA512
69bb560c12230117202cfd8d92bf89c2d95f639224c59ca767e261a464b1dbfe78fc471d74140d38201a63f132bd7b196e16658f38ef075236eaccdbbbbcfb1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c666f670-231d-476a-869c-105a19394e69.vbs

Filesize
747B

MD5
9c386bb78daf0dda45a875beee5fc044

SHA1
414733cfa25bd119f6fb87030efdd6fe7a65896f

SHA256
b535bbca37715f5b6c7ac59d0b8d5eaf2db121a9c20309ee2f19999273fcfd00

SHA512
05a5a91727ea9f4d2a5431a7c554d5017b428ed82bf43a3cc56dc935ab4810f2a4296d61159e91d0d0e050ba90456879ad4d1252ece5fba173c1fc630880d602

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce1cb4c2-9486-42ed-aab0-7f729a1b2ea7.vbs

Filesize
523B

MD5
e017e61dbd5ff3bd923ddced3d250a64

SHA1
725bee845e34cd3248a5a353b3176e12fedaa5e4

SHA256
9b8e8da7cfff9ee39abc297a9b2ac922db447df6785bbd694d011c3b02145d2d

SHA512
fcf5459d18239b89659087b5011554e64996a44636956298e3ac53c01cd7f44a1677f88e7f81bf611c43dadf6be1d1a435bbab4fb6c608639af6fb1bdaa81bfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\e24691ce-7528-4610-b47e-e7492654d7b4.vbs

Filesize
747B

MD5
c8bf3410a5b79e65f6b21b8a006c9cb5

SHA1
6c620bad2624db35e5144b7ab60d1e301a327fdc

SHA256
7e690b2b66bf37c0e15f1611a3b12ad456e36d6b36d0c54357005b6a431220fb

SHA512
93958693af0ce8a2d9ceb365a99cf769cc30db8aafa779fea7c022b438356dd9385648f34b7b83ea608de517f6248ac576124c03ca2dba79c5ea0f52c2fa4d41

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3f3a17d-630d-4efa-8968-80f1a0815f34.vbs

Filesize
747B

MD5
e06be0df18fb54d9053499251fab94d0

SHA1
480e053fe7b78955257cd2a269e477cea7adfa41

SHA256
dbd201d1704400c0eff62ef883505a9308a40c7bea9dbfbb39722b5a031d7ba4

SHA512
78d7b9929d31ae9bfb33b7adf0b3d81f3bebd2b14a119e41393cd0eb4943a51ae5cf8343414e0602d67e39a67a07d6da46c239a26ded94d8b9210c56abac36b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\f45bfc5f-e5cd-4cc0-bde8-5703966fe04a.vbs

Filesize
747B

MD5
6aecbbb4d4c3a2aa4783eb0d0cfb9a9f

SHA1
fb2d1b0d494a7ad0fb0a7e22191ce645bb6f3951

SHA256
8a9aad251d3818bb52e78300c3eca331c343f01238d9278054459205496bfaf4

SHA512
fb1a1789ddc5027d6dc64602e57d8927a516d8efc6c23fd107942bdd301a3c71da9b0afac896af1af9bafcbd2329796467bd21c1c24eaa1b3d3f2ea654af16be

Download Submit
C:\Users\Admin\AppData\Local\Temp\fb4b7e5f-0ca5-4294-b0e9-7e810b5bf2f6.vbs

Filesize
747B

MD5
4e2036cc06a48a1ace38d2fe6addb9c8

SHA1
98d34273809e6d65e5494862342369829aeed294

SHA256
ebaefb2a0a3e47e9bb0839ecf24855f09f91d7fb9464606006ad0d92e82d5853

SHA512
7fff320fc47c1f53b0a98439c677ac66241b9b6959bb9c50bcfe9bbda1774404050c31623dec3cf00259e8d22c98299c0a38983f4cc2aa00e581f574b088b618

Download Submit
memory/1312-89-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download
memory/1440-54-0x0000000000E90000-0x0000000000FFA000-memory.dmp

Filesize
1.4MB

Download
memory/1924-112-0x0000000000120000-0x000000000028A000-memory.dmp

Filesize
1.4MB

Download
memory/1924-113-0x0000000000660000-0x0000000000672000-memory.dmp

Filesize
72KB

Download
memory/1984-42-0x0000000000320000-0x000000000048A000-memory.dmp

Filesize
1.4MB

Download
memory/2084-149-0x0000000001280000-0x00000000013EA000-memory.dmp

Filesize
1.4MB

Download
memory/2188-183-0x0000000000320000-0x0000000000332000-memory.dmp

Filesize
72KB

Download
memory/2364-43-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

Filesize
9.9MB

Download
memory/2364-2-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

Filesize
9.9MB

Download
memory/2364-7-0x0000000000660000-0x0000000000672000-memory.dmp

Filesize
72KB

Download
memory/2364-5-0x00000000001D0000-0x00000000001D8000-memory.dmp

Filesize
32KB

Download
memory/2364-11-0x0000000002000000-0x000000000200C000-memory.dmp

Filesize
48KB

Download
memory/2364-3-0x0000000000150000-0x000000000015E000-memory.dmp

Filesize
56KB

Download
memory/2364-4-0x00000000001B0000-0x00000000001CC000-memory.dmp

Filesize
112KB

Download
memory/2364-6-0x0000000000650000-0x000000000065A000-memory.dmp

Filesize
40KB

Download
memory/2364-1-0x00000000001E0000-0x000000000034A000-memory.dmp

Filesize
1.4MB

Download
memory/2364-9-0x0000000001FC0000-0x0000000001FCA000-memory.dmp

Filesize
40KB

Download
memory/2364-0-0x000007FEF59A3000-0x000007FEF59A4000-memory.dmp

Filesize
4KB

Download
memory/2364-10-0x0000000001FD0000-0x0000000001FDE000-memory.dmp

Filesize
56KB

Download
memory/2364-8-0x00000000008A0000-0x00000000008AC000-memory.dmp

Filesize
48KB

Download
memory/2504-125-0x0000000000C20000-0x0000000000D8A000-memory.dmp

Filesize
1.4MB

Download
memory/2584-137-0x0000000000C90000-0x0000000000DFA000-memory.dmp

Filesize
1.4MB

Download
memory/2792-66-0x00000000012B0000-0x000000000141A000-memory.dmp

Filesize
1.4MB

Download