dcrat | 004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766cee

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-11-2024 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Size

952KB
MD5

b86ee30e813ada623950e69411e39f20
SHA1

8027da1ceaf274b125b2499404f44933ce8c1cf3
SHA256

004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766cee
SHA512

c9d16edd860b01f893ee47dd65dea0ee3779015b4039a0fdf05a6567dd5ecdb87ec8012a8306e0237a0675a27e9b3db6553a10fb941336f26fd468fa85ef5fd9
SSDEEP

24576:2+O7F9smBDJwWmIezBLwsHuWbxR4AK5ZJXX:R8/KfRTK

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 14 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\dcomcnfg\\services.exe\", \"C:\\Windows\\System32\\KBDINORI\\dwm.exe\", \"C:\\PerfLogs\\Admin\\System.exe\", \"C:\\Windows\\System32\\vss_ps\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Windows\\System32\\C_10079\\dwm.exe\", \"C:\\Program Files\\Windows Sidebar\\it-IT\\sppsvc.exe\", \"C:\\Windows\\System32\\secinit\\dllhost.exe\", \"C:\\Windows\\System32\\NlsModels0011\\csrss.exe\", \"C:\\Windows\\System32\\proquota\\dwm.exe\", \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\csrss.exe\""	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\dcomcnfg\\services.exe\", \"C:\\Windows\\System32\\KBDINORI\\dwm.exe\", \"C:\\PerfLogs\\Admin\\System.exe\", \"C:\\Windows\\System32\\vss_ps\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Windows\\System32\\C_10079\\dwm.exe\""	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\dcomcnfg\\services.exe\", \"C:\\Windows\\System32\\KBDINORI\\dwm.exe\", \"C:\\PerfLogs\\Admin\\System.exe\", \"C:\\Windows\\System32\\vss_ps\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Windows\\System32\\C_10079\\dwm.exe\", \"C:\\Program Files\\Windows Sidebar\\it-IT\\sppsvc.exe\", \"C:\\Windows\\System32\\secinit\\dllhost.exe\""	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\dcomcnfg\\services.exe\", \"C:\\Windows\\System32\\KBDINORI\\dwm.exe\", \"C:\\PerfLogs\\Admin\\System.exe\", \"C:\\Windows\\System32\\vss_ps\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Windows\\System32\\C_10079\\dwm.exe\", \"C:\\Program Files\\Windows Sidebar\\it-IT\\sppsvc.exe\", \"C:\\Windows\\System32\\secinit\\dllhost.exe\", \"C:\\Windows\\System32\\NlsModels0011\\csrss.exe\", \"C:\\Windows\\System32\\proquota\\dwm.exe\", \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\csrss.exe\", \"C:\\Windows\\System32\\kbd101\\sppsvc.exe\", \"C:\\Windows\\System32\\sysprep\\en-US\\lsm.exe\""	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\dcomcnfg\\services.exe\", \"C:\\Windows\\System32\\KBDINORI\\dwm.exe\", \"C:\\PerfLogs\\Admin\\System.exe\""	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\dcomcnfg\\services.exe\", \"C:\\Windows\\System32\\KBDINORI\\dwm.exe\", \"C:\\PerfLogs\\Admin\\System.exe\", \"C:\\Windows\\System32\\vss_ps\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Windows\\System32\\C_10079\\dwm.exe\", \"C:\\Program Files\\Windows Sidebar\\it-IT\\sppsvc.exe\""	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\dcomcnfg\\services.exe\", \"C:\\Windows\\System32\\KBDINORI\\dwm.exe\", \"C:\\PerfLogs\\Admin\\System.exe\", \"C:\\Windows\\System32\\vss_ps\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Windows\\System32\\C_10079\\dwm.exe\", \"C:\\Program Files\\Windows Sidebar\\it-IT\\sppsvc.exe\", \"C:\\Windows\\System32\\secinit\\dllhost.exe\", \"C:\\Windows\\System32\\NlsModels0011\\csrss.exe\", \"C:\\Windows\\System32\\proquota\\dwm.exe\", \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\csrss.exe\", \"C:\\Windows\\System32\\kbd101\\sppsvc.exe\", \"C:\\Windows\\System32\\sysprep\\en-US\\lsm.exe\", \"C:\\Documents and Settings\\sppsvc.exe\""	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\dcomcnfg\\services.exe\", \"C:\\Windows\\System32\\KBDINORI\\dwm.exe\", \"C:\\PerfLogs\\Admin\\System.exe\", \"C:\\Windows\\System32\\vss_ps\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Windows\\System32\\C_10079\\dwm.exe\", \"C:\\Program Files\\Windows Sidebar\\it-IT\\sppsvc.exe\", \"C:\\Windows\\System32\\secinit\\dllhost.exe\", \"C:\\Windows\\System32\\NlsModels0011\\csrss.exe\", \"C:\\Windows\\System32\\proquota\\dwm.exe\""	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\dcomcnfg\\services.exe\", \"C:\\Windows\\System32\\KBDINORI\\dwm.exe\", \"C:\\PerfLogs\\Admin\\System.exe\", \"C:\\Windows\\System32\\vss_ps\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Windows\\System32\\C_10079\\dwm.exe\", \"C:\\Program Files\\Windows Sidebar\\it-IT\\sppsvc.exe\", \"C:\\Windows\\System32\\secinit\\dllhost.exe\", \"C:\\Windows\\System32\\NlsModels0011\\csrss.exe\", \"C:\\Windows\\System32\\proquota\\dwm.exe\", \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\csrss.exe\", \"C:\\Windows\\System32\\kbd101\\sppsvc.exe\""	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\dcomcnfg\\services.exe\""	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\dcomcnfg\\services.exe\", \"C:\\Windows\\System32\\KBDINORI\\dwm.exe\""	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\dcomcnfg\\services.exe\", \"C:\\Windows\\System32\\KBDINORI\\dwm.exe\", \"C:\\PerfLogs\\Admin\\System.exe\", \"C:\\Windows\\System32\\vss_ps\\lsm.exe\""	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\dcomcnfg\\services.exe\", \"C:\\Windows\\System32\\KBDINORI\\dwm.exe\", \"C:\\PerfLogs\\Admin\\System.exe\", \"C:\\Windows\\System32\\vss_ps\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\taskhost.exe\""	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\dcomcnfg\\services.exe\", \"C:\\Windows\\System32\\KBDINORI\\dwm.exe\", \"C:\\PerfLogs\\Admin\\System.exe\", \"C:\\Windows\\System32\\vss_ps\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Windows\\System32\\C_10079\\dwm.exe\", \"C:\\Program Files\\Windows Sidebar\\it-IT\\sppsvc.exe\", \"C:\\Windows\\System32\\secinit\\dllhost.exe\", \"C:\\Windows\\System32\\NlsModels0011\\csrss.exe\""	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe

Process spawned unexpected child process 14 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	1960	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	1960	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	1960	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	1960	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	1960	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	1960	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	1960	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	1960	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	1960	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	1960	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	1960	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	1960	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	1960	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	1960	schtasks.exe	30

UAC bypass 3 TTPs 9 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2092-1-0x00000000009A0000-0x0000000000A94000-memory.dmp	dcrat
behavioral1/files/0x0006000000018696-23.dat	dcrat
behavioral1/files/0x0008000000018697-57.dat	dcrat
behavioral1/memory/2588-121-0x00000000008F0000-0x00000000009E4000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

pid	Process
2688	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
2588	csrss.exe

Adds Run key to start application 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\KBDINORI\\dwm.exe\""	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\vss_ps\\lsm.exe\""	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\proquota\\dwm.exe\""	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\sysprep\\en-US\\lsm.exe\""	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Documents and Settings\\sppsvc.exe\""	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\dcomcnfg\\services.exe\""	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\vss_ps\\lsm.exe\""	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\kbd101\\sppsvc.exe\""	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\KBDINORI\\dwm.exe\""	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\proquota\\dwm.exe\""	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\taskhost.exe\""	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\PerfLogs\\Admin\\System.exe\""	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\C_10079\\dwm.exe\""	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Sidebar\\it-IT\\sppsvc.exe\""	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\secinit\\dllhost.exe\""	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\NlsModels0011\\csrss.exe\""	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\NlsModels0011\\csrss.exe\""	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\csrss.exe\""	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\dcomcnfg\\services.exe\""	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\csrss.exe\""	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\secinit\\dllhost.exe\""	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\C_10079\\dwm.exe\""	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Sidebar\\it-IT\\sppsvc.exe\""	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Documents and Settings\\sppsvc.exe\""	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\taskhost.exe\""	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\kbd101\\sppsvc.exe\""	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\sysprep\\en-US\\lsm.exe\""	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\PerfLogs\\Admin\\System.exe\""	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\C_10079\dwm.exe	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
File opened for modification	C:\Windows\System32\vss_ps\RCXD217.tmp	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
File opened for modification	C:\Windows\System32\KBDINORI\RCXCD90.tmp	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
File opened for modification	C:\Windows\System32\vss_ps\lsm.exe	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
File opened for modification	C:\Windows\System32\proquota\dwm.exe	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
File created	C:\Windows\System32\vss_ps\lsm.exe	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
File created	C:\Windows\System32\secinit\5940a34987c99120d96dace90a3f93f329dcad63	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
File created	C:\Windows\System32\proquota\6cb0b6c459d5d3455a3da700e713f2e2529862ff	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
File opened for modification	C:\Windows\System32\kbd101\sppsvc.exe	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
File created	C:\Windows\System32\dcomcnfg\c5b4cb5e9653cce737f29f72ba880dd4c4bab27d	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
File created	C:\Windows\System32\vss_ps\101b941d020240259ca4912829b53995ad543df6	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
File opened for modification	C:\Windows\System32\dcomcnfg\RCXCB8B.tmp	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
File opened for modification	C:\Windows\System32\sysprep\en-US\lsm.exe	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
File created	C:\Windows\System32\KBDINORI\dwm.exe	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
File opened for modification	C:\Windows\System32\dcomcnfg\services.exe	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
File opened for modification	C:\Windows\System32\KBDINORI\RCXCD91.tmp	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
File created	C:\Windows\System32\NlsModels0011\csrss.exe	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
File created	C:\Windows\System32\proquota\dwm.exe	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
File created	C:\Windows\System32\kbd101\0a1fd5f707cd16ea89afd3d6db52b2da58214a6c	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
File created	C:\Windows\System32\sysprep\en-US\101b941d020240259ca4912829b53995ad543df6	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
File opened for modification	C:\Windows\System32\NlsModels0011\csrss.exe	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
File created	C:\Windows\System32\dcomcnfg\services.exe	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
File opened for modification	C:\Windows\System32\KBDINORI\dwm.exe	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
File created	C:\Windows\System32\secinit\dllhost.exe	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
File created	C:\Windows\System32\KBDINORI\6cb0b6c459d5d3455a3da700e713f2e2529862ff	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
File opened for modification	C:\Windows\System32\vss_ps\RCXD216.tmp	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
File created	C:\Windows\System32\C_10079\6cb0b6c459d5d3455a3da700e713f2e2529862ff	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
File created	C:\Windows\System32\NlsModels0011\886983d96e3d3e31032c679b2d4ea91b6c05afef	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
File created	C:\Windows\System32\sysprep\en-US\lsm.exe	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
File opened for modification	C:\Windows\System32\secinit\dllhost.exe	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
File opened for modification	C:\Windows\System32\dcomcnfg\RCXCB8C.tmp	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
File created	C:\Windows\System32\kbd101\sppsvc.exe	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
File created	C:\Windows\System32\C_10079\dwm.exe	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\it-IT\sppsvc.exe	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
File created	C:\Program Files\Windows Sidebar\it-IT\0a1fd5f707cd16ea89afd3d6db52b2da58214a6c	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
File opened for modification	C:\Program Files\Windows Sidebar\it-IT\sppsvc.exe	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2656	schtasks.exe
620	schtasks.exe
2796	schtasks.exe
2132	schtasks.exe
2476	schtasks.exe
2928	schtasks.exe
316	schtasks.exe
2096	schtasks.exe
1720	schtasks.exe
2720	schtasks.exe
1136	schtasks.exe
2604	schtasks.exe
2484	schtasks.exe
2920	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2092	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
2688	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
2688	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
2688	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
2688	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
2688	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2092	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Token: SeDebugPrivilege	2688	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Token: SeDebugPrivilege	2588	csrss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2688	2092	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe	36
PID 2092 wrote to memory of 2688	2092	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe	36
PID 2092 wrote to memory of 2688	2092	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe	36
PID 2688 wrote to memory of 1080	2688	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe	47
PID 2688 wrote to memory of 1080	2688	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe	47
PID 2688 wrote to memory of 1080	2688	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe	47
PID 1080 wrote to memory of 332	1080	cmd.exe	49
PID 1080 wrote to memory of 332	1080	cmd.exe	49
PID 1080 wrote to memory of 332	1080	cmd.exe	49
PID 1080 wrote to memory of 2588	1080	cmd.exe	50
PID 1080 wrote to memory of 2588	1080	cmd.exe	50
PID 1080 wrote to memory of 2588	1080	cmd.exe	50

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
"C:\Users\Admin\AppData\Local\Temp\004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2092
- C:\Users\Admin\AppData\Local\Temp\004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe
  "C:\Users\Admin\AppData\Local\Temp\004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766ceeN.exe"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2688
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h3zZ5q2iML.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1080
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:332
  - - C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe
      "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of AdjustPrivilegeToken
      System policy modification
      PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\dcomcnfg\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\KBDINORI\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\PerfLogs\Admin\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\vss_ps\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\C_10079\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\secinit\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\NlsModels0011\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\proquota\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\kbd101\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\sysprep\en-US\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Documents and Settings\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\System.exe

Filesize
952KB

MD5
4c9ab53ca8384d9884b87b6587764d19

SHA1
03ba5660e6825aec2c508d21b705eecb732b742f

SHA256
8e74b3bff8c483b08b92ace1661ffe9d441fe095093a57c94cd5a606add772d2

SHA512
12f5ad5458cfcbaff3de1c2ce981fdee1f1f6fcd45fb01ca04b82809c47d947bc67dc3425c9edc255c71bfac389ee529c68b29bd3442080874b9c818bcbaf91c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCXC987.tmp

Filesize
952KB

MD5
b86ee30e813ada623950e69411e39f20

SHA1
8027da1ceaf274b125b2499404f44933ce8c1cf3

SHA256
004e2051dde231741f7be44ccc11a2ac05170785f1c2b702e8ae3ee8b3766cee

SHA512
c9d16edd860b01f893ee47dd65dea0ee3779015b4039a0fdf05a6567dd5ecdb87ec8012a8306e0237a0675a27e9b3db6553a10fb941336f26fd468fa85ef5fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\h3zZ5q2iML.bat

Filesize
222B

MD5
3e4a97b78b7afef013d16dc48170932a

SHA1
0fa2253d163f6a7890951323f2e25af6d4578bb3

SHA256
0caa418176eab887c49ab6c7f4e49018d770c7cfd3664e0e9cd2f777ef1d99ec

SHA512
fd4f6f9126d865fffc433a1f5b73ca226389f303cb91dd4e3c17715a352268b2a05cab07b943403070000de29e64bf4c50a9e0394578e43dfaefc282cd2a59bf

Download Submit
memory/2092-4-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/2092-10-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2092-5-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/2092-6-0x0000000000290000-0x000000000029C000-memory.dmp

Filesize
48KB

Download
memory/2092-7-0x0000000000260000-0x000000000026A000-memory.dmp

Filesize
40KB

Download
memory/2092-8-0x0000000000280000-0x0000000000288000-memory.dmp

Filesize
32KB

Download
memory/2092-11-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/2092-0-0x000007FEF57A3000-0x000007FEF57A4000-memory.dmp

Filesize
4KB

Download
memory/2092-9-0x0000000000440000-0x000000000044A000-memory.dmp

Filesize
40KB

Download
memory/2092-3-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download
memory/2092-2-0x000007FEF57A0000-0x000007FEF618C000-memory.dmp

Filesize
9.9MB

Download
memory/2092-73-0x000007FEF57A0000-0x000007FEF618C000-memory.dmp

Filesize
9.9MB

Download
memory/2092-1-0x00000000009A0000-0x0000000000A94000-memory.dmp

Filesize
976KB

Download
memory/2588-121-0x00000000008F0000-0x00000000009E4000-memory.dmp

Filesize
976KB

Download