dcrat | 8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2024 03:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
Size

2.8MB
MD5

6258c0d7c31a5ba4b2b0cb9c97606acd
SHA1

123138131fc33eeeedc82e795f201981232a55b1
SHA256

8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4
SHA512

9e8248a258475bf8676b041073da7985a3b0a6e57cf7293415e3dd1e6e8fd6bd0056ba4d60b33f6d4c0cfec4b3f33c43e88881c6a0f6fc52f3654ff12022875e
SSDEEP

49152:rPloaBLYs0dLLXmgmQPDWSJNCQdi2GjyIlAd28nZbmsl+S2sJaOP:rPl7ZoLbFmsPNHi2GjLAdVlqO

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4372	208	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4248	208	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	208	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	208	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	208	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4300	208	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	208	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	208	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	208	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3744	208	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	208	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3992	208	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	208	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	208	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	384	208	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	208	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	208	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	208	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	208	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	208	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	208	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	208	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3680	208	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	208	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	208	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	208	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	208	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4360	208	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	208	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	208	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	208	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	208	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4240	208	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	208	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	208	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	208	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	208	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3168	208	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	208	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	208	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	208	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	208	schtasks.exe	85

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exelsass.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/3612-1-0x0000000000DD0000-0x00000000010A2000-memory.dmp	dcrat
behavioral2/files/0x0008000000023c11-31.dat	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe

Executes dropped EXE 1 IoCs

Processes:

lsass.exe

pid	Process
1148	lsass.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exelsass.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe

Drops file in Program Files directory 15 IoCs

Processes:

8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe

description	ioc	Process
File created	C:\Program Files\Windows Defender\uk-UA\OfficeClickToRun.exe	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\eddb19405b7ce1	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\fontdrvhost.exe	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
File created	C:\Program Files (x86)\Internet Explorer\3c4c204b9d90f0	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\5b884080fd4f94	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
File created	C:\Program Files (x86)\Internet Explorer\8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\fontdrvhost.exe	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\backgroundTaskHost.exe	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\5b884080fd4f94	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\backgroundTaskHost.exe	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\OfficeClickToRun.exe	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
File created	C:\Program Files\Windows Defender\uk-UA\e6c9b481da804f	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe

Drops file in Windows directory 12 IoCs

Processes:

8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe

description	ioc	Process
File created	C:\Windows\Fonts\lsass.exe	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
File created	C:\Windows\Fonts\6203df4a6bafc7	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
File created	C:\Windows\TAPI\OfficeClickToRun.exe	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
File created	C:\Windows\it-IT\csrss.exe	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\SppExtComObj.exe	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
File opened for modification	C:\Windows\Fonts\lsass.exe	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
File opened for modification	C:\Windows\TAPI\OfficeClickToRun.exe	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
File opened for modification	C:\Windows\it-IT\csrss.exe	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
File created	C:\Windows\TAPI\e6c9b481da804f	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
File created	C:\Windows\it-IT\886983d96e3d3e	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\e1ef82546f0b02	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
File opened for modification	C:\Windows\RemotePackages\RemoteDesktops\SppExtComObj.exe	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
700	schtasks.exe
3020	schtasks.exe
1476	schtasks.exe
3168	schtasks.exe
4372	schtasks.exe
1440	schtasks.exe
4300	schtasks.exe
2780	schtasks.exe
4804	schtasks.exe
1572	schtasks.exe
4696	schtasks.exe
2392	schtasks.exe
3176	schtasks.exe
2656	schtasks.exe
4380	schtasks.exe
4480	schtasks.exe
3164	schtasks.exe
1748	schtasks.exe
3040	schtasks.exe
3680	schtasks.exe
2496	schtasks.exe
4360	schtasks.exe
4240	schtasks.exe
1992	schtasks.exe
752	schtasks.exe
4080	schtasks.exe
1944	schtasks.exe
4356	schtasks.exe
3744	schtasks.exe
4536	schtasks.exe
968	schtasks.exe
380	schtasks.exe
4720	schtasks.exe
4992	schtasks.exe
4248	schtasks.exe
1524	schtasks.exe
2476	schtasks.exe
992	schtasks.exe
3992	schtasks.exe
384	schtasks.exe
4428	schtasks.exe
4388	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exelsass.exe

pid	Process
3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
1148	lsass.exe
1148	lsass.exe
1148	lsass.exe
1148	lsass.exe
1148	lsass.exe
1148	lsass.exe
1148	lsass.exe
1148	lsass.exe
1148	lsass.exe
1148	lsass.exe
1148	lsass.exe
1148	lsass.exe
1148	lsass.exe
1148	lsass.exe
1148	lsass.exe
1148	lsass.exe
1148	lsass.exe
1148	lsass.exe
1148	lsass.exe
1148	lsass.exe
1148	lsass.exe
1148	lsass.exe
1148	lsass.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

lsass.exe

pid	Process
1148	lsass.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exelsass.exe

description	pid	Process
Token: SeDebugPrivilege	3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
Token: SeDebugPrivilege	1148	lsass.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.execmd.exe

description	pid	Process	procid_target
PID 3612 wrote to memory of 4012	3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe	137
PID 3612 wrote to memory of 4012	3612	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe	137
PID 4012 wrote to memory of 2356	4012	cmd.exe	139
PID 4012 wrote to memory of 2356	4012	cmd.exe	139
PID 4012 wrote to memory of 1148	4012	cmd.exe	140
PID 4012 wrote to memory of 1148	4012	cmd.exe	140

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

lsass.exe8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
"C:\Users\Admin\AppData\Local\Temp\8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3612
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lFjmtLGJzS.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4012
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2356
- - C:\Windows\Fonts\lsass.exe
    "C:\Windows\Fonts\lsass.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\uk-UA\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\uk-UA\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\uk-UA\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed48" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed48" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\Fonts\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Fonts\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Windows\TAPI\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\TAPI\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Windows\TAPI\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\it-IT\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Pictures\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Default\Pictures\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Pictures\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Windows\RemotePackages\RemoteDesktops\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Windows\RemotePackages\RemoteDesktops\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lFjmtLGJzS.bat

Filesize
191B

MD5
e7c01ad1689d1f347d8723862f0cc9eb

SHA1
77aab0811e2d279d9d29d9c850e23906a8a5e094

SHA256
b12ce2e359996992eb284f9b2accca292ac81031790e0016877da2306ee601f2

SHA512
8e642daee3891d96dcab914a7c317dfa2767348832278010e3c71388f6a8656f4dc588466ec97f152de52b3cfc8a8741a1e6fef62ff244ce62f749c29b78c742

Download Submit
C:\Windows\TAPI\OfficeClickToRun.exe

Filesize
2.8MB

MD5
6258c0d7c31a5ba4b2b0cb9c97606acd

SHA1
123138131fc33eeeedc82e795f201981232a55b1

SHA256
8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4

SHA512
9e8248a258475bf8676b041073da7985a3b0a6e57cf7293415e3dd1e6e8fd6bd0056ba4d60b33f6d4c0cfec4b3f33c43e88881c6a0f6fc52f3654ff12022875e

Download Submit
memory/1148-77-0x000000001D5F0000-0x000000001D602000-memory.dmp

Filesize
72KB

Download
memory/3612-14-0x000000001C360000-0x000000001C372000-memory.dmp

Filesize
72KB

Download
memory/3612-17-0x000000001C550000-0x000000001C55C000-memory.dmp

Filesize
48KB

Download
memory/3612-5-0x000000001C380000-0x000000001C3D0000-memory.dmp

Filesize
320KB

Download
memory/3612-7-0x000000001BBE0000-0x000000001BBF0000-memory.dmp

Filesize
64KB

Download
memory/3612-9-0x000000001C330000-0x000000001C338000-memory.dmp

Filesize
32KB

Download
memory/3612-10-0x000000001C340000-0x000000001C352000-memory.dmp

Filesize
72KB

Download
memory/3612-8-0x000000001BBF0000-0x000000001BC06000-memory.dmp

Filesize
88KB

Download
memory/3612-6-0x000000001BBD0000-0x000000001BBD8000-memory.dmp

Filesize
32KB

Download
memory/3612-11-0x000000001C370000-0x000000001C37A000-memory.dmp

Filesize
40KB

Download
memory/3612-12-0x000000001C4D0000-0x000000001C526000-memory.dmp

Filesize
344KB

Download
memory/3612-13-0x000000001C350000-0x000000001C358000-memory.dmp

Filesize
32KB

Download
memory/3612-0-0x00007FFA0AAB3000-0x00007FFA0AAB5000-memory.dmp

Filesize
8KB

Download
memory/3612-15-0x000000001CA70000-0x000000001CF98000-memory.dmp

Filesize
5.2MB

Download
memory/3612-4-0x0000000003240000-0x000000000325C000-memory.dmp

Filesize
112KB

Download
memory/3612-18-0x000000001C660000-0x000000001C66C000-memory.dmp

Filesize
48KB

Download
memory/3612-16-0x000000001C540000-0x000000001C548000-memory.dmp

Filesize
32KB

Download
memory/3612-19-0x000000001C670000-0x000000001C67E000-memory.dmp

Filesize
56KB

Download
memory/3612-20-0x000000001C680000-0x000000001C68C000-memory.dmp

Filesize
48KB

Download
memory/3612-22-0x000000001BB90000-0x000000001BB9C000-memory.dmp

Filesize
48KB

Download
memory/3612-21-0x000000001C790000-0x000000001C79A000-memory.dmp

Filesize
40KB

Download
memory/3612-3-0x0000000001880000-0x000000000188E000-memory.dmp

Filesize
56KB

Download
memory/3612-62-0x00007FFA0AAB3000-0x00007FFA0AAB5000-memory.dmp

Filesize
8KB

Download
memory/3612-65-0x00007FFA0AAB0000-0x00007FFA0B571000-memory.dmp

Filesize
10.8MB

Download
memory/3612-2-0x00007FFA0AAB0000-0x00007FFA0B571000-memory.dmp

Filesize
10.8MB

Download
memory/3612-73-0x00007FFA0AAB0000-0x00007FFA0B571000-memory.dmp

Filesize
10.8MB

Download
memory/3612-1-0x0000000000DD0000-0x00000000010A2000-memory.dmp

Filesize
2.8MB

Download