dcrat | b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
04-11-2024 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
Size

2.7MB
MD5

93b41bde029ee047568eaf23be8cf599
SHA1

50ce44062008f18a3127522e5fa94d373c97ca8f
SHA256

b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84
SHA512

8744ac0e952e5e1d9f40dc89a9131353c475d8eeb309d34e68209e985e16fff80e1df3a16282ad48e95e3f27380e6b47e89d2e6df1ac5b652ab8a4b5b85eecf3
SSDEEP

49152:ZVIR0tEKCS4NSvq428wJW2KU3wvEGXFdRp8uM4BQdIFo11IQu:TIR0tWTS5wJW2viXHR65XOi11ID

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat 49 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeb0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	pid	Process
		2468	schtasks.exe
		1736	schtasks.exe
		1604	schtasks.exe
		840	schtasks.exe
		2888	schtasks.exe
		1068	schtasks.exe
		2944	schtasks.exe
		668	schtasks.exe
		2712	schtasks.exe
File created	C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\42af1c969fbb7b		b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
		3028	schtasks.exe
		1308	schtasks.exe
		1156	schtasks.exe
		2544	schtasks.exe
		1548	schtasks.exe
		2296	schtasks.exe
		2876	schtasks.exe
		2660	schtasks.exe
		2812	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
File created	C:\Windows\System32\LogFiles\AIT\1610b97d3ab4a7		b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
		820	schtasks.exe
		2464	schtasks.exe
		2072	schtasks.exe
		1492	schtasks.exe
		876	schtasks.exe
		2548	schtasks.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\101b941d020240		b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
		1268	schtasks.exe
		2492	schtasks.exe
		1580	schtasks.exe
		2144	schtasks.exe
		1844	schtasks.exe
		2756	schtasks.exe
		1928	schtasks.exe
		2596	schtasks.exe
		2976	schtasks.exe
		2320	schtasks.exe
		2940	schtasks.exe
		528	schtasks.exe
		2056	schtasks.exe
		344	schtasks.exe
		2684	schtasks.exe
		1716	schtasks.exe
		2460	schtasks.exe
		956	schtasks.exe
		1748	schtasks.exe
		2956	schtasks.exe
		1576	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2668	schtasks.exe	30

UAC bypass 3 TTPs 9 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exelsm.exeb0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/3020-1-0x00000000008A0000-0x0000000000B64000-memory.dmp	dcrat
behavioral1/files/0x0005000000019219-30.dat	dcrat
behavioral1/files/0x00090000000164b1-60.dat	dcrat
behavioral1/memory/1296-73-0x0000000000040000-0x0000000000304000-memory.dmp	dcrat
behavioral1/memory/2092-129-0x0000000000120000-0x00000000003E4000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

Processes:

b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exelsm.exe

pid	Process
1296	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
2092	lsm.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exelsm.exeb0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe

Drops file in System32 directory 5 IoCs

Processes:

b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\LogFiles\AIT\RCX5114.tmp	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
File opened for modification	C:\Windows\System32\LogFiles\AIT\OSPPSVC.exe	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
File created	C:\Windows\System32\LogFiles\AIT\OSPPSVC.exe	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
File created	C:\Windows\System32\LogFiles\AIT\1610b97d3ab4a7	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
File opened for modification	C:\Windows\System32\LogFiles\AIT\RCX5096.tmp	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe

Drops file in Program Files directory 20 IoCs

Processes:

b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exeb0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\101b941d020240	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\csrss.exe	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
File created	C:\Program Files\Internet Explorer\es-ES\7a0fd90576e088	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
File created	C:\Program Files\Windows Portable Devices\lsass.exe	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
File created	C:\Program Files\Windows Portable Devices\6203df4a6bafc7	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCX4E05.tmp	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
File opened for modification	C:\Program Files\Windows Portable Devices\lsass.exe	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\886983d96e3d3e	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
File created	C:\Program Files\Internet Explorer\es-ES\explorer.exe	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\101b941d020240	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCX4E15.tmp	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\886983d96e3d3e	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\csrss.exe	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\explorer.exe	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe

Drops file in Windows directory 8 IoCs

Processes:

b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exeb0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\1036\explorer.exe	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
File created	C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\audiodg.exe	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
File opened for modification	C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\audiodg.exe	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
File created	C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\42af1c969fbb7b	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
File opened for modification	C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\RCX4BE1.tmp	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
File opened for modification	C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\RCX4BE2.tmp	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
File created	C:\Windows\Microsoft.NET\Framework\1036\explorer.exe	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
File created	C:\Windows\Microsoft.NET\Framework\1036\7a0fd90576e088	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2320	schtasks.exe
1604	schtasks.exe
2944	schtasks.exe
2548	schtasks.exe
1156	schtasks.exe
2464	schtasks.exe
956	schtasks.exe
1748	schtasks.exe
1492	schtasks.exe
2144	schtasks.exe
2712	schtasks.exe
840	schtasks.exe
1844	schtasks.exe
1736	schtasks.exe
2876	schtasks.exe
1580	schtasks.exe
2296	schtasks.exe
2756	schtasks.exe
2956	schtasks.exe
1928	schtasks.exe
1268	schtasks.exe
1068	schtasks.exe
1548	schtasks.exe
528	schtasks.exe
2468	schtasks.exe
876	schtasks.exe
2812	schtasks.exe
1576	schtasks.exe
2596	schtasks.exe
3028	schtasks.exe
2684	schtasks.exe
2940	schtasks.exe
2544	schtasks.exe
820	schtasks.exe
2492	schtasks.exe
2976	schtasks.exe
668	schtasks.exe
1308	schtasks.exe
2056	schtasks.exe
344	schtasks.exe
1716	schtasks.exe
2460	schtasks.exe
2072	schtasks.exe
2888	schtasks.exe
2660	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exeb0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exelsm.exe

pid	Process
3020	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
3020	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
3020	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
3020	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
3020	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
3020	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
3020	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
3020	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
3020	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
3020	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
3020	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
3020	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
3020	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
3020	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
3020	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
1296	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
1296	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
1296	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
1296	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
1296	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
1296	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
1296	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
1296	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
1296	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
1296	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
1296	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
1296	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
1296	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
1296	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
1296	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
1296	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
1296	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
1296	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
1296	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
1296	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
1296	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
1296	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
1296	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
1296	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
1296	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
1296	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
1296	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
1296	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
1296	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
1296	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
1296	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
1296	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
1296	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
2092	lsm.exe
2092	lsm.exe
2092	lsm.exe
2092	lsm.exe
2092	lsm.exe
2092	lsm.exe
2092	lsm.exe
2092	lsm.exe
2092	lsm.exe
2092	lsm.exe
2092	lsm.exe
2092	lsm.exe
2092	lsm.exe
2092	lsm.exe
2092	lsm.exe
2092	lsm.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exeb0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exelsm.exe

description	pid	Process
Token: SeDebugPrivilege	3020	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
Token: SeDebugPrivilege	1296	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
Token: SeDebugPrivilege	2092	lsm.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.execmd.exeb0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.execmd.exe

description	pid	Process	procid_target
PID 3020 wrote to memory of 2112	3020	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe	40
PID 3020 wrote to memory of 2112	3020	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe	40
PID 3020 wrote to memory of 2112	3020	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe	40
PID 2112 wrote to memory of 1200	2112	cmd.exe	42
PID 2112 wrote to memory of 1200	2112	cmd.exe	42
PID 2112 wrote to memory of 1200	2112	cmd.exe	42
PID 2112 wrote to memory of 1296	2112	cmd.exe	43
PID 2112 wrote to memory of 1296	2112	cmd.exe	43
PID 2112 wrote to memory of 1296	2112	cmd.exe	43
PID 1296 wrote to memory of 2172	1296	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe	80
PID 1296 wrote to memory of 2172	1296	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe	80
PID 1296 wrote to memory of 2172	1296	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe	80
PID 2172 wrote to memory of 1332	2172	cmd.exe	82
PID 2172 wrote to memory of 1332	2172	cmd.exe	82
PID 2172 wrote to memory of 1332	2172	cmd.exe	82
PID 2172 wrote to memory of 2092	2172	cmd.exe	83
PID 2172 wrote to memory of 2092	2172	cmd.exe	83
PID 2172 wrote to memory of 2092	2172	cmd.exe	83

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

Processes:

b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exeb0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exelsm.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
"C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe"
1⤵
- DcRat
- UAC bypass
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3020
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6xYfwFNBoa.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1200
- - C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
    "C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1296
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tNEyebdJS9.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2172
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:1332
    - - C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Windows\System32\LogFiles\AIT\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\System32\LogFiles\AIT\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Windows\System32\LogFiles\AIT\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84b" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84b" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\Microsoft.NET\Framework\1036\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Framework\1036\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\Microsoft.NET\Framework\1036\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Start Menu\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Start Menu\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\es-ES\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6xYfwFNBoa.bat

Filesize
267B

MD5
68f30288679b162d6f1fbf8f033d593b

SHA1
23ba513d61c38579f1dd768fa18e49ce413ba6b5

SHA256
60ab5211f289c610a7663ff883418f7c8d2837afef7e92ce94648f06db646f1c

SHA512
bfb92c929595f10a1364553d091b61c6f75e75b86b038d13fa39a7324b3348e528759eda95a74b77f04db1d0ff6f4513d77088c5539d40d73c017b90d436098c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCX49BE.tmp

Filesize
2.7MB

MD5
93b41bde029ee047568eaf23be8cf599

SHA1
50ce44062008f18a3127522e5fa94d373c97ca8f

SHA256
b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84

SHA512
8744ac0e952e5e1d9f40dc89a9131353c475d8eeb309d34e68209e985e16fff80e1df3a16282ad48e95e3f27380e6b47e89d2e6df1ac5b652ab8a4b5b85eecf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tNEyebdJS9.bat

Filesize
224B

MD5
4f2c6debe66cbff203af6439a4f77ee5

SHA1
be7c47b7e768cbaafb20fad97359567d743d7d2c

SHA256
3c97098d3e3b5687bd7361ed3e5ea42f4ed79bcb7533b0319081c89d963233fc

SHA512
09ab37b1fa13345e126d95a2c88827cd6e0f7e99dfec60a8aac6720346b733bbfb1562744c5f8cb241c7504d4541187d8e90c60978a06484ecdd959af3a78e42

Download Submit
C:\Windows\System32\LogFiles\AIT\OSPPSVC.exe

Filesize
2.7MB

MD5
3b8de76fe3217e9df1cb37fdc3115d85

SHA1
530450cfa8e72cd114a30d97cfd32162266d761b

SHA256
aad5921a941a3ae1c4f965f3ad6b021a5fb7f6c902744005b6bf7d35440c65bc

SHA512
902cec748d1ccc2893d7bb90b24c841b0a0fc1c35c684c87a369d720ff44f149291762ab53d6aa37a10d9376b6304929560f0281246cc947eccf92c22539c9b9

Download Submit
memory/1296-73-0x0000000000040000-0x0000000000304000-memory.dmp

Filesize
2.8MB

Download
memory/2092-130-0x00000000007B0000-0x00000000007C2000-memory.dmp

Filesize
72KB

Download
memory/2092-129-0x0000000000120000-0x00000000003E4000-memory.dmp

Filesize
2.8MB

Download
memory/3020-7-0x0000000002300000-0x0000000002316000-memory.dmp

Filesize
88KB

Download
memory/3020-18-0x000000001AE70000-0x000000001AE7A000-memory.dmp

Filesize
40KB

Download
memory/3020-8-0x0000000002190000-0x0000000002198000-memory.dmp

Filesize
32KB

Download
memory/3020-10-0x000000001ADD0000-0x000000001AE26000-memory.dmp

Filesize
344KB

Download
memory/3020-11-0x000000001A8B0000-0x000000001A8B8000-memory.dmp

Filesize
32KB

Download
memory/3020-12-0x000000001A8D0000-0x000000001A8E2000-memory.dmp

Filesize
72KB

Download
memory/3020-13-0x000000001AE20000-0x000000001AE2C000-memory.dmp

Filesize
48KB

Download
memory/3020-14-0x000000001AE30000-0x000000001AE38000-memory.dmp

Filesize
32KB

Download
memory/3020-15-0x000000001AE40000-0x000000001AE4E000-memory.dmp

Filesize
56KB

Download
memory/3020-16-0x000000001AE50000-0x000000001AE5E000-memory.dmp

Filesize
56KB

Download
memory/3020-17-0x000000001AE60000-0x000000001AE6C000-memory.dmp

Filesize
48KB

Download
memory/3020-9-0x000000001A8C0000-0x000000001A8CA000-memory.dmp

Filesize
40KB

Download
memory/3020-19-0x000000001AE80000-0x000000001AE8C000-memory.dmp

Filesize
48KB

Download
memory/3020-0-0x000007FEF4C83000-0x000007FEF4C84000-memory.dmp

Filesize
4KB

Download
memory/3020-6-0x0000000002180000-0x0000000002190000-memory.dmp

Filesize
64KB

Download
memory/3020-5-0x0000000000890000-0x0000000000898000-memory.dmp

Filesize
32KB

Download
memory/3020-71-0x000007FEF4C80000-0x000007FEF566C000-memory.dmp

Filesize
9.9MB

Download
memory/3020-4-0x0000000002160000-0x000000000217C000-memory.dmp

Filesize
112KB

Download
memory/3020-3-0x0000000000880000-0x000000000088E000-memory.dmp

Filesize
56KB

Download
memory/3020-2-0x000007FEF4C80000-0x000007FEF566C000-memory.dmp

Filesize
9.9MB

Download
memory/3020-1-0x00000000008A0000-0x0000000000B64000-memory.dmp

Filesize
2.8MB

Download